HHS Office of the Assistant Secretary for Preparedness and Response Issues Series of Cybersecurity Updates in Response to WannaCry Attack

Conor Duffy
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on the attack and to detail HHS’ efforts to mitigate the harmful effects of the attack on government computer systems and health care organizations.

In five successive updates provided between May 13 and May 17, ASPR provided links to the most up-to-date information from the U.S. government on cyber threats (including from the US-CERT Cyber Awareness System, the FBI, HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC)), and solicited information on new attack vectors, as well as regarding any impact the attack may have had on patient care or supply chain distribution.

For organizations that qualify as covered entities under HIPAA, ASPR’s guidance reminded such entities that OCR presumes a breach in the event of a ransomware attack affecting unencrypted PHI (as set forth in its previous ransomware guidance, discussed here), and that breaches caused by ransomware attacks must be reported to OCR in accordance with the Breach Notification Rule (even if an entity separately reports the attack to law enforcement, or a separate division within HHS).  Additionally, ASPR guided potentially affected entities to an FAQ issued by OCR in September, 2016, which in pertinent part provides that covered entities may not disclose PHI for purposes of cybersecurity information-sharing of cyber threat indicators.  As a result, covered entities seeking to report cyber threat indicators related to WannaCry or a future ransomware attack would be well advised to remove PHI from any such reports.

In its final update, the ASPR set forth a mechanism for submission of “After Action” thoughts and comments regarding the government’s response to the WannaCry attack, and shared information on processes for victim reporting and cyber threat indicator sharing.  ASPR also provided information in the form of FAQs on the FDA’s oversight of medical devices in the context of cybersecurity (with related guidance available here).

ASPR’s updates are available at the following links: #1, #2, #3, #4, and #5.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide