Cyberattack Contingency Plans are Critical, OCR Says
With cyberattack a looming threat that continues to grow and cast its shadow over the healthcare industry, having a contingency plan in place for such an event is essential, according to the March 2018 newsletter from the Department of Health and Human Services’ Office for Civil Rights (OCR) titled “Plan A… B… Contingency Plan!”
“Contingency plans are critical to protecting the availability, integrity, and security of data during unexpected adverse events,” OCR states in the newsletter. Providers’ contingency plans for how they would respond and eventually return to normal daily operations should take cyberattack into consideration right alongside circumstances such as natural disasters. For example, in the event a ransomware attack renders the organization’s data unreadable, having properly maintained data backups available is the only reliable option for recovering and restoring access to that data, since paying the attacker is not a guarantee that they will release the data an organization needs.
In addition to being a best practice, the HIPAA Security Rule requires that HIPAA-covered entities and business associates establish and implement a contingency plan, according to OCR. The newsletter outlines some basic required aspects of a HIPAA-compliant contingency plan:
- A disaster recovery plan that focuses on restoring protected health data
- An emergency mode operation plan (continuity of operations) that maintains and protects critical functions that protect health data
- A data backup plan for regularly copying protected health data so it can be restored if needed
The newsletter goes on to note that organizations should identify which applications and data are critical for contingency plans, and that contingency plans should be tested and revised accordingly if deficiencies are determined.
Click here to read the full newsletter for more contingency planning tips and strategies.
Sarah Sheber is assistant editor/web editor at the Journal of AHIMA.