OCR urges health providers: Draft contingency plan for cyberattacks, now
The U.S. Department of Health and Human Services’ Office for Civil Rights is urging healthcare providers to develop contingency plans in case of cyberattack, according to its March newsletter.
As cyberattacks continue to pummel the healthcare sector and debilitate provider operations, organizations need a backup plan to ensure they can return to daily operations as soon as possible. The right plan will also protect resources and minimize patient inconvenience.
“Contingency plans aren’t just a good idea: Regulations for certain industries require contingency planning,” the report authors wrote. In fact, HIPAA requires healthcare organizations to already have these types of plans in place.
Crucial to this plan are staff assignments, which designate responsibilities to specific employees during recovery. These plans may also include data recovery strategies, how to maintain critical functions during a cyberattack and creating regular backups segmented from the network.
OCR officials also outlined two items to address in these plans: identifying the applications and data that are critical to the contingency plan, and testing the plan and revisiting any areas that need work.
Further, organizations need to make these plans a formal policy to ensure they’re followed by staff during an event.
While not included in this list, it’s also important that providers keep in mind that the FBI, HHS and security leaders all warn against paying a ransom in case of a ransomware attack. Not only is there no guarantee the hacker will return the data, it opens the provider to future attacks.