HIPAA Incident Response Services
Millions of people entrust healthcare organizations with their most personal information. When a security incident or data breach occurs, our team responds swiftly to ensure a quick recover and complete HIPAA compliance.
A data breach for any company is a disruptive and potentially crippling event, but for businesses, in highly regulated industries like healthcare, the ramifications can be devastating. The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is a set of guidelines healthcare providers and their business associates must follow to protect sensitive client information. Failure to do so, as is often the case when cybercriminals gain access to critical IT infrastructure, can result in hefty financial penalties and potentially damaging public disclosures if the incident is not responded to properly.
If you’re a HIPAA-covered entity or business associate and you suspect that your organization is the victim of a security incident or data breach, contact us right away. A swift response to a suspected breach is the only prudent course of action to take, and that’s where we excel. Our digital forensics investigators determine the sequence of events that lead to the incident or breach and the PHI that was or was not exposed or acquired. We then present our findings and work with legal counsel to satisfy legal and regulatory obligations under HIPAA.
HIPAA Security Incident Definition
A HIPAA security incident is any situation in which unauthorized access to protected healthcare information (ePHI) is attempted, whether intentionally or unintentionally, whether internally or externally. If the attempt is successful, it is elevated into a HIPAA data breach with potentially severe consequences.
Talk with our HIPAA Incident Response Investigators
Don’t delay. If you believe that a HIPAA security incident or even a data breach has occurred, contact one of our experts today for a consultation.
Or call our forensic investigation specialists today at 608-287-3377 for an immediate one-on-one consultation
Security Incident vs. Data Breach: What’s the difference?
What Constitutes a HIPAA Security Incident?
A HIPAA security incident is any situation in which unauthorized access to PHI is attempted, whether or not the attempt is successful. For example, a hacker remotely accessing your network using credentials gleaned from a phishing email sent to one of your employees is a HIPAA security incident; even if the hacker fails to pull off their intrusion and doesn’t access any ePHI (say, for example, because the affected employee realized what had happened right away and changed their access credentials before the hacker could make use of them), the unsuccessful attempt still counts as a HIPAA security incident.
What Constitutes a HIPAA Data Breach?
A HIPAA data breach is the actual successful unauthorized access, use, modification, or disclosure of PHI. This is far more severe than a mere security incident, and all HIPAA-covered entities and business associates must provide notification to affected parties unless it can be proven that a breach did not occur. There are fines associated with HIPAA data breaches which vary depending on the severity of the breach. In addition, depending on the size of the breach it may be necessary to notify media outlets, so that they may inform the general public.
A HIPAA security incident is a wake-up call. Any HIPAA security incident might be a HIPAA breach, so in the interest of safety, every security incident should be presumed to be a breach until proven otherwise. Your most pressing concern as soon as you become aware of the incident is to fully confirm that the event is no longer ongoing, then investigate to confirm that no PHI has been accessed. If you find that a security incident has occurred, but no PHI has been disclosed to unauthorized parties, your response is to take measures that will prevent or lessen the probability of such events occurring in the future.
Is Ransomware a HIPAA Breach?
The relationship between HIPAA and ransomware is a complex one, and there isn’t an easy, black-and-white answer to the question of whether or not ransomware attacks always qualify as HIPAA breaches. The confusion stems from the fact that ransomware attacks aren’t always like normal intrusions by cybercriminals. There can be much more than meets the eye in a HIPAA ransomware incident, which makes a speedy response to the incident even more critical. Sometimes the actual ransomware virus itself, like other forms of malware such as spyware and cryptojacking software, is only the tip of the iceberg.
HIPAA Data Breach Notification
No organization wants the negative PR associated with being the victim of cyber-attack that results in the exposure of PHI. However, regulations regarding data breaches make it a necessity to notify the affected individuals, the authorities (occasionally on both the state and federal level), and in some cases the media when PHI has been accessed by or disclosed to unauthorized entities.
The US Department of Health and Human Services has strict and well-defined rules regarding HIPAA breach notifications. Notices to individuals whose PHI has been compromised by the breach must be sent “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” If the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to “prominent media outlets serving the State or jurisdiction,” as well as the HHS Secretary, within 60 days as well. Due to the complexity of the HIPAA guidelines, it is important to engage legal counsel immediately upon learning of a HIPPA security incident. Your legal team will help guide you through the process and ensure that you respond properly and in accordance with the guidelines dictated by HIPAA.