HIT Think

3 security plans in which organizations must have complete confidence

With the number of cyberattacks focusing on healthcare—for purposes ranging from destruction of data to impersonating a physician or other clinician to just taking data—it is truer than ever that a successful attack is only a matter of time.

A common threat is ransomware, which aims to lock an organization out of its data and require payment of a ransom to potentially get full access to that data.

If threats are real and commonplace, what can be done? First of all, taking threats seriously is important. In the past (but hopefully not currently), many organizations would use an argument that they were too small to attract the notice of attackers or that the threat only applied to someone else.

The day of anyone escaping the threat of ransomware is long gone. Organizations ranging from solo physicians to multistate or multinational organizations will all be targeted. From the attackers’ perspective, they’ll send a flood of attacks with the hope that a few will bring a return. The ease of sending out the attack underscores the nature of volume over quantity.

HDM-053119-breach.png

If the threat and likelihood of attack are taken seriously and with due caution, what are the steps to make a successful attack as difficult as possible? While it is not necessarily possible to fully detail those efforts, the aim can be summarized by the following—be proactive, educate and train, monitor, and share knowledge.

Even if all of those activities are pursued, it will be impossible to stop all attacks. Unfortunately, all it takes is one error, whether inadvertent or intentional, for the next victim of a cyberattack to be identified. Additionally, the other hard truth is that attackers can be (and likely are) more advanced than the defensive measures. That means even the best cybersecurity plan can result in a compromise.

If an organization must live under the reality that a compromise or breach will occur, then what can be done? HIPAA sets out the basics. The HIPAA Security Rule very clearly requires every covered entity and business associate to have contingency plans in place.

While the elements are a combination of required (must be implemented) and addressable (flexibility in how to implement), the basic steps are arguably the foundation for a robust and detailed response. From that perspective, it is helpful to quote the portion of the HIPAA Security Rule laying out the components of a contingency plan.

“(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain electronic protected health information.

(ii) Implementation Specifications:

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.”

As the language of the rule demonstrates, the contingency planning is composed of three parts: a data backup plan, a disaster recovery plan and an emergency mode operation plan. It cannot be said that any of the plans are less important than the others. In reality, each plan is likely to intersect and overlap with the others to create a comprehensive means of preparing an organization to get back up and running following a cyberattack or other issue.

Despite the HIPAA requirement to have all three plans in place, when a data breach is reported, especially following a ransomware attack, the data backup plan would arguably be the most important because it ensures another copy of the data exists. However, too many organizations are either paying the ransom or shutting down because the backup is not there. If the backup is there, the possibility also exists that the organization cannot use the backup because it never determined how to roll it out or had tested the restore process.

The second failure goes to the addressable components of contingency planning, specifically checking to make sure that those plans actually work and then assigning a level of criticality to each function to guide the order of restoration. A backup or emergency operation plan could look perfect on paper and cover every eventuality, but unless an organization actually knows the plans will work and how to implement the plans, then the plans will not do too much.

Despite the current challenges, hope is most certainly not lost. If, as is suspected, the majority of organizations do want to and are taking security seriously, then it is time to get proactive in that approach. Being proactive means being prepared for every scenario and outcome. As such, make sure that the necessary plans exist, but then regularly test and refine the plans.

As new threats emerge, new nuances should be incorporated into the contingency plans. If the preparation happens, then when the inevitable strikes, an organization will not be caught flatfooted but will be able to both stop an attack and return to normal operations as quickly as possible.

For reprint and licensing requests for this article, click here.