Preparing for the Worst, or the New Inevitable

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

With the number of cyberattacks focusing on healthcare for purposes ranging from destruction of data to impersonating a physician or other clinician to just taking data, it is truer than ever that a successful attack is only a matter of time. A common threat is ransomware. As should be well known at this point in time, a ransomware attack will lock an organization out of its data and require payment of a ransom to potentially get full access to that data back.

If threats are real and commonplace, what can be done? First of all, taking threats seriously is important. In the past (but hopefully not currently), many organizations would use an argument that they were too small to attract the notice of attackers or that the threat only applied to someone else. The day of anyone escaping the threat of ransomware is long gone. Organizations from solo physicians to multi-state or multinational organizations will all be targeted. From the attackers perspective, a flood of attacks will be sent with the hope that a few will bring a return. The ease of sending out the attack underscores the nature of volume over quantity. For a twisted sense of humor, the cyberattacks arguably mimic the healthcare system’s perspective of making money under fee for service.

If the threat and likelihood of attack are taken seriously and with due caution, what are the steps to make a successful attack as difficult as possible? While it is not necessarily possible to fully detail those efforts, the aim can be summarized by the following: be proactive, educate and train, monitor, and share knowledge. Even if all of those activities are pursued, it will be impossible to stop all attacks. Unfortunately, all it takes is one error, whether inadvertent or intentional, for the next victim of a cyberattack to be identified. Additionally, the other hard truth is that attackers can be (and likely are) more advanced than the defensive measures. That means even the best cybersecurity plan can result in a compromise.

If an organization must live under the reality that a compromise or breach will occur, then what can be done? As should be known, HIPAA sets out the basics of what to do. The HIPAA Security Rule very clearly requires every covered entity and business associate to have contingency plans in place. While the elements are a combination of required (must be implemented) and addressable (flexibility in how to implement), the basic steps are arguably the foundation for a robust and detailed response. From that perspective, it is helpful to quote the portion of the HIPAA Security Rule laying out the components of a contingency plan:

“(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

(ii) Implementation Specifications:

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.”

As the language of the rule demonstrates, the contingency planning is really compromised of three parts: a data backup plan, a disaster recovery plan, and an emergency mode operation plan. It cannot be said that any of the plans are less important than the others. In reality, each plan will also likely intersect and overlap with the other in order to create a comprehensive means of preparing an organization to get back up and running following a cyberattack or other issue.

Despite the HIPAA requirement to have all three plans in place, when a data breach is reported, especially following a ransomware attack, it is not clear that even any of the plans have been implemented. In the case of a ransomware attack, the data backup plan would arguably be the most important since it ensures another copy of the data exists, but too many practices are either paying the ransom or shutting down because the backup is not there. If the backup is there, the possibility also exists that the organization cannot use the backup because it never determined how to roll it out or tested.

The second failure goes to the addressable components of contingency planning: specifically testing to make sure that those plans actually work and then assigning a level of criticality to each function to guide the order of restoration. A backup or emergency operation plan could look perfect on paper and cover every eventuality, but unless an organization actually knows the plans will work and how to implement the plans, then the plans will not do too much.

Despite the current challenges, hope is most certainly not lost. If, as is suspected, the majority of organizations do want to and are taking security seriously, then it is time to get proactive in that approach. Being proactive means being prepared for every scenario and outcome. As such, make sure that the necessary plans exist, but then regularly test and refine the plans. As new threats emerge, new nuances should be incorporated into the contingency plans. If the preparation happens, then when the inevitable strikes, an organization will not be caught flatfooted but will be able to both stop an attack and return to normal operations as quickly as it can.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.