The Office for Civil Rights (OCR), the entity within the Department of Health and Human Services (HHS) that enforces the Privacy, Security and Breach rules of HIPAA, has released new guidance advising covered entities and business associates on best practices for preventing and reporting cyber attacks.
“Reporting and Monitoring Cyber Threats” advises companies that maintain ePHI (electronic protected health information) to report suspicious activity, including cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT). US-CERT is an organization within the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that is responsible for analyzing and reducing cyber threats and vulnerabilities.
Under HIPAA (Health Insurance Portability and Accountability Act), those entities that maintain ePHI must establish administrative procedures to safeguard such private medical and personal data.
In its guidance, OCR also urges covered entities and business associates to monitor US-CERT’s website regularly for information on new cyber vulnerabilities, or to subscribe to the agency’s Weekly Vulnerability bulletins.