OCR issues guidance on reporting suspicious cyber activity

Covered entities (CE) and business associates (BA) should report any suspicious cyber activity, including malware, phishing, or other cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT), the Office for Civil Rights (OCR) said in guidance released February 23.

The guidance was released in response to the increase in cyberattacks against healthcare organizations. Sharing information, particularly with organizations such as US-CERT, is key to preventing and mitigating security incidents, OCR said. Organizations can use US-CERT’s secure form to report suspicious cyber activity. CEs and BAs should also check the US-CERT website for information on known security vulnerabilities, risks, patches, and mitigations.

Reports should include technical information but should not include protected health information, OCR said. Some CEs and BAs may hesitate to share information out of concern it may expose sensitive business and security information, but the report does not need to include information on intellectual property, specific security controls, or other sensitive business information, Diana Kelley, global executive security advisor at IBM Security in New York, told Briefings on HIPAA in November 2016. CEs and BAs should include only the relevant information specified in the report such as the date and time of the incident or the general content of a phishing email.