OCR urges health providers: Draft contingency plan for cyberattacks, now

In the wake of an onslaught of cyberattacks, the agency is reminding providers that HIPAA requires organizations to have a plan to keep patient data protected.
By Jessica Davis
02:48 PM
HHS warns of cyberattacks

The U.S. Department of Health and Human Services’ Office for Civil Rights is urging healthcare providers to develop contingency plans in case of cyberattack, according to its March newsletter.

As cyberattacks continue to pummel the healthcare sector and debilitate provider operations, organizations need a backup plan to ensure they can return to daily operations as soon as possible. The right plan will also protect resources and minimize patient inconvenience.

“Contingency plans aren’t just a good idea: Regulations for certain industries require contingency planning,” the report authors wrote. In fact, HIPAA requires healthcare organizations to already have these types of plans in place.

[Also: OCR investigating Banner Health for 2016 breach of 3.7 million patient records]

Crucial to this plan are staff assignments, which designate responsibilities to specific employees during recovery. These plans may also include data recovery strategies, how to maintain critical functions during a cyberattack and creating regular backups segmented from the network.

OCR officials also outlined two items to address in these plans: identifying the applications and data that are critical to the contingency plan, and testing the plan and revisiting any areas that need work.

Further, organizations need to make these plans a formal policy to ensure they’re followed by staff during an event.

While not included in this list, it’s also important that providers keep in mind that the FBI, HHS and security leaders all warn against paying a ransom in case of a ransomware attack. Not only is there no guarantee the hacker will return the data, it opens the provider to future attacks.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com