4 Steps Physician Groups Need to Take After a Cyber Breach

1. Execute Incident Response and Contingency Plan

This response plan should be a designed set of instructions to help physician groups prepare for, detect, respond to, and recover from cyber-related incidents. These plans are primarily technology driven and address malware detection, data theft, service outages, and address departments such as HR, finance, and customer service, and a “who does what and when” plan.

2. Report the Crime to the Appropriate Law Enforcement

This may include state or local law enforcement, the FBI, or the Secret Service. Swift reporting can help facilitate the recovery of lost funds. Reports should not include PHI unless otherwise permitted under HIPAA.

3. Report all Cyber Threat Indicators to Federal and Information-Sharing and Analysis Organizations

Ex. Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private sector cyber threat ISAOs.

4. Report the Breach to Affected Patients and to the Office for Civil Rights (OCR) as Soon as Possible

If the breach affects 500 or more patients, the practice must notify affected patients, OCR, and the media no later than 60 days after discovery of the breach unless law enforcement has requested a delay in reporting. If the cyber breach has affected fewer than 500 patients, the practice must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach, and notify OCR within 60 days after the end of the calendar year in which the breach was discovered.