Our Products can help your organization stay educated and compliant. Shop Now >

Insights

OCR Recommends That All Agencies Evaluate Their Cybersecurity Response Capabilities

Posted on Friday, October 14, 2016 7:57 PM

The HHS Office for Civil Rights (OCR) has recommended that all agencies and other entities need to indicate whether they’re capable of responding to a cybersecurity incident. If agencies do not follow these steps to secure electronic patient information, then it will most likely result in a violation of HIPAA.

According to a recent survey, the results concluded that 43% of respondents lacked formal cybersecurity incident-response plans and procedures. The survey also pulled the results that 61% of respondents have dealt with a data breach in the past two years.

The guidance includes the following recommendations that covered entities and business associates:
• Have an incident-response plan
• Make sure the incident-response policies and plans are approved by management and reviewed annually
• Include processes that prepare for cybersecurity incidents
• Build relationships and lines of communication
• Staff the incident-response team with people who have the skillsets
• Train staff to “be effective in their roles”

The following steps are available to help protect your agency:
• Protect your electronic patient information
• Develop policies and procedures to address cybersecurity
• Review your cybersecurity response policies, plans and procedures annually
• Ask your electronic health record and other health IT vendors about the cybersecurity capabilities of their systems
• Understand that OCR considers a security incident
• Document all of your plans, policies and procedures
• Use free or easily available resources when you can
• Make sure your business associates have cybersecurity protections in place

For the full article, please see the October 17, 2016 Home Health Line Edition.

Go Back