Cyberattack Contingency Plans are Critical, OCR Says

“Contingency plans are critical to protecting the availability, integrity, and security of data during unexpected adverse events,” OCR states in the newsletter. Providers’ contingency plans for how they would respond and eventually return to normal daily operations should take cyberattack into consideration right alongside circumstances such as natural disasters. For example, in the event a ransomware attack renders the organization’s data unreadable, having properly maintained data backups available is the only reliable option for recovering and restoring access to that data, since paying the attacker is not a guarantee that they will release the data an organization needs.

In addition to being a best practice, the HIPAA Security Rule requires that HIPAA-covered entities and business associates establish and implement a contingency plan, according to OCR. The newsletter outlines some basic required aspects of a HIPAA-compliant contingency plan:

• A disaster recovery plan that focuses on restoring protected health data
• An emergency mode operation plan (continuity of operations) that maintains and protects critical functions that protect health data
• A data backup plan for regularly copying protected health data so it can be restored if needed

Click here to read the full newsletter for more contingency planning tips and strategies.

Sarah Sheber is assistant editor/web editor at the Journal of AHIMA.