The Office for Civil Rights (OCR) recently released guidance entitled “My Entity Just Experienced a Cyber-attack! What Do We Do Now?”

The Checklist is a practical tool for health care entities and outlines several steps to take following a cyber-attack.

According to the Checklist, in the event of a cyber-attack or similar emergency an entity:

  • Must execute its response and mitigation procedures and contingency plans
  • Should report the crime to law enforcement agencies
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs)
  • Must report breaches to OCR as soon as possible, but no later than 60 days after the discovery of a breach.

Of course, there are more steps before, during and after a cyber-attack, and these are the bare minimum, but nonetheless, any time guidance is issued by OCR, it is worth a read.