Increasingly patient medical records are becoming vulnerable to cyberattacks. Now the Department of Health and Human Services, Office of Civil Rights has issued a plan that will serve as guidelines to organizations covered by HIPPA on what should be included in these contingency plans in preparing for cyberattacks.
“Contingency plans are critical to protecting the availability, integrity, and security of data during unexpected adverse events,” notes the OCR statement. Contingency plans are not just for fires and floods but now include how to react to cyberattacks. Cyberattacks using malicious software such as ransomware may cause an organization’s data to be unreadable or unusable. According to OCR, if data is harmed due to a cyberattack, restoring the data from backups may be the only option to recover the data and restore normal business operations.
OCR has issued this warning: “Contingency plans aren’t just a good idea; regulations for certain industries require contingency planning. For example, the HIPAA Security Rule requires that HIPAA covered entities and business associates establish and implement a contingency plan.” It might be a good idea for organizations and practitioners to check out the full text of the OCR announcements. Here are the main guidelines of the plan.
• Make it Policy: A formal policy provides the authority and guidance necessary to develop an effective contingency plan. Identify what is critical: Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.
• Identify Risks, Threats and Preventative Controls: Perform a risk analysis to identify the various risks that your business may face. What has the potential to significantly disrupt or harm your operations and data?
• Contingency Plans & Risk Analysis: The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces. The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls. Prioritization of critical systems and information will help identify where to focus planning efforts.
• Create Contingency Procedures: Establish the specific guidelines, parameters, and procedures when enacting the contingency plan and for the recovery of systems and data.
OCR goes on to remind affected firms and individuals, “Establish a testing (exercise) schedule for the plan, to identify gaps and ensure updates for plan effectiveness and increase organizational awareness.” It adds that it is imperative to go over the plan regularly and situationally when there are technical, operational, environmental, or personnel changes in the organization. The Food & Drug Administration and the Federal Trade Commission have issued guidelines on which kinds of medical “entities” and device marketers may be subject to HIPPA.