From the October 2022 issue of HealthCare Business News magazine
Cyber security standard IEC 80001-1 is a useful tool for any clinic, group practice, or hospital bringing on new remote capacities and technologies. The standard offers a specific but flexible framework for risk management of IT-networks incorporating medical devices, prompting hospitals to drill down and define the roles, responsibilities, and activities associated with each technology.
3. How comprehensive is your disaster recovery plan?
The Healthcare Insurance Portability and Accountability Act (HIPAA) requires that every healthcare organization in the country has a disaster recovery plan in place. All of these plans pay at least some attention to the risk of a cybersecurity attack or data breach alongside other sources of system downtime or outage.
The quality of these plans—and how effectively they are implemented—will vary from institution to institution. Lisa Pino, Director of the Office of Civil Rights for the Department of Health and Human Services, has urged healthcare organizations to improve the swiftness of their recovery by broadening their view of disaster: “All too often,” she writes, “we see that risk analyses only cover the electronic health record. I cannot underscore enough the importance of enterprise-wide risk analysis.”
4. Who knows about the plan? How will you communicate with patients and staff if an attack occurs?
In addition to understanding the likeliest targets of ransomware or the possible vectors of a denial-of-service attack, organizations will need to identify the backup or alternative systems they’ll turn to if those threats materialize. This aspect of planning must also include strategies for communication. IT staff can use the criticality matrix and disaster recovery plan to chart out their priorities in terms of system recovery, but facility leaders will need to determine what physician and patient users need to know about why a system is down—and exactly what to do (fall back on paper-based systems? Access a portal via a different web address?) until it’s back up and running.
5. Is your organization prepared to act together to move past a breach?
In dealing with a ransomware or other cyberattack, one of the most frequent pitfalls is a lack of staff coordination and patience.
Any appropriate, comprehensive disaster recovery plan will specify that the organization’s insurance carrier be contacted immediately in the event of an attack. (The insurance policy will also specify this outreach as a provision of its coverage.) The insurance carrier will assign a professional incident commander to the organization. That commander and his or her team should become the hub of all system recovery activity.
