5 Steps to Creating a HIPAA-Compliant Cyber Attack Contingency Plan
The HHS Office for Civil Rights recommends these steps to develop a cybersecurity contingency plan.
In any emergency, whether it be an active shooter event, fire, or cyber attack, it is vital to have a contingency plan should an unforeseen event occur at your school or hospital.
Contingency plans are required for many organizations, such as HIPAA-covered hospitals and business associates.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (ePHI). The rule requires administrative, physical and technical safeguards to ensure confidentiality, integrity and security of ePHI.
Under the rule, hospitals must create, among other things:
- A disaster discovery plan focused on restoring protected health data
- An emergency mode operation plan focused on maintaining and protecting critical functions that protect the security of health data
- A data backup plan focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption
1. Make it a formal policy, which provides the authority and guidance needed to develop an effective contingency plan.
2. Classify what is critical, allowing you to prioritize your contingency planning and minimize losses.
3. Categorize risks, threats and preventative controls by performing a risk analysis to identify what has the potential to significantly disrupt or harm your operations and data.
4. Be sure to create straightforward guidelines, parameters and procedures that are easy for all employees to comprehend. Knowing what to do in the first hours, days and weeks following a cyber attack is crucial and establishing what type of event will cause the activation of the contingency plan and who has the authority to activate it is key.
5. Operationalize and integrate the plan into normal business operations. It is vital to communicate roles and responsibilities within the plan to all employees. Be sure to test your plan in order to identify gaps and to increase awareness of the plan throughout your entire organization. Additionally, be sure to regularly review the plan, particularly when there are technical, operational, environmental or personnel changes.
As with any emergency preparedness initiative, the key here is to have a plan in place before a cyber attack occurs. For most healthcare organizations, it’s not a matter of if, but when, a cyber attack will occur.
According to Healthcare Drive, 88 percent of all ransomware attacks in the U.S. in 2016 were in the healthcare industry. Another 89 percent reported experiencing a data breach, which involved patient data being stolen or lost, over the last two years.
Here are some additional resources that were either recently provided by the Office for Civil Rights or available free on Campus Safety: