5 Steps to Creating a HIPAA-Compliant Cyber Attack Contingency Plan

In any emergency, whether it be an active shooter event, fire, or cyber attack, it is vital to have a contingency plan should an unforeseen event occur at your school or hospital.

Contingency plans are required for many organizations, such as HIPAA-covered hospitals and business associates.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (ePHI). The rule requires administrative, physical and technical safeguards to ensure confidentiality, integrity and security of ePHI.

Under the rule, hospitals must create, among other things:

• A disaster discovery plan focused on restoring protected health data
• An emergency mode operation plan focused on maintaining and protecting critical functions that protect the security of health data
• A data backup plan focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights recently recommended the following five steps to create a contingency plan for a cyber attack:

1. Make it a formal policy, which provides the authority and guidance needed to develop an effective contingency plan.

2. Classify what is critical, allowing you to prioritize your contingency planning and minimize losses.

3. Categorize risks, threats and preventative controls by performing a risk analysis to identify what has the potential to significantly disrupt or harm your operations and data.

4. Be sure to create straightforward guidelines, parameters and procedures that are easy for all employees to comprehend. Knowing what to do in the first hours, days and weeks following a cyber attack is crucial and establishing what type of event will cause the activation of the contingency plan and who has the authority to activate it is key.

5. Operationalize and integrate the plan into normal business operations. It is vital to communicate roles and responsibilities within the plan to all employees. Be sure to test your plan in order to identify gaps and to increase awareness of the plan throughout your entire organization. Additionally, be sure to regularly review the plan, particularly when there are technical, operational, environmental or personnel changes.

As with any emergency preparedness initiative, the key here is to have a plan in place before a cyber attack occurs. For most healthcare organizations, it’s not a matter of if, but when, a cyber attack will occur.

According to Healthcare Drive, 88 percent of all ransomware attacks in the U.S. in 2016 were in the healthcare industry. Another 89 percent reported experiencing a data breach, which involved patient data being stolen or lost, over the last two years.

Here are some additional resources that were either recently provided by the Office for Civil Rights or available free on Campus Safety:

• Security Standards: Administrative Safeguards
• The HIPAA-HITECH Overlap
• National Institute of Standards and Technology Contingency Planning
• Contingency Planning for Federal Information Systems
• A Look at The HITECH Act’s Impact on Healthcare
• 3 Steps to Meet HIPAA Breach Notification Requirements

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content

UPDATE: Ransomware Group Leaks Change Healthcare Data

Keycard Hack Can Open Hotel Guest Rooms

Hanwha Vision America to Feature AI Solutions at ISC West 2024

HHS Urges Quick ID and Implementation of Solutions to Change Healthcare Ransomware Debacle