The state Department of Health (DOH) has revised its letter and Frequently Asked Questions (FAQs) on the process for providers to report a cybersecurity event.
According to this notice, providers who have experienced a cybersecurity incident are required to apprise their DOH Regional Office.
Reportable cybersecurity incidents include any event that affects patient care or represents a serious threat to patient safety, such as intrusions aimed at theft of protected health records. Examples include: information technology intrusions, ransomware attacks, as well as attacks on file transfer systems or data reporting interfaces that can spread through established connections with other networks or government systems.
Provider staff should follow their established internal policies and procedures for alerting their central IT/information security staff or IT vendor. The incident should be validated before reporting to the DOH Regional Office within 24 hours of confirming that a credible incident has occurred.
