Establishing and maintaining effective systems to protect sensitive personal data and confidential business information from outside interference while also assuring that privacy interests are protected is among an organization’s highest priorities. Our security and privacy team at Epstein Becker & Green has written extensively about the guidance and best practices issued by federal and state regulatory and enforcement agencies. Execution, monitoring and continually updating these preventive practices define an organization’s first line of defense. But what happens in the event that an organization actually suffers a breach? Is there guidance that might be available, particularly to healthcare organizations, to deal with continuity and disaster planning (BC/DR) directed towards assuring resilience and recovery in the event of a potentially-disastrous cyberattack?
Recently, the Healthcare and Public Health Sector Coordinating Council (HPHSCC) released an Operational Continuity-Cyber Incident (OCCI) checklist to help healthcare organizations preserve operational continuity while recovering from a cyberattack. This guidance comes at a critical time of increasing cybersecurity risk to U.S.-based healthcare institutions. Indeed, a dramatic uptick in zero-day attacks, and ransomware exploits in particular, coupled with increased costs of recovering from cyberattacks, underscore that resiliency, continuity and disaster planning are now more important than ever. Nevertheless, while it is clear that in the healthcare arena “an ounce of prevention” may be worth “a pound of cure”, many organizations still struggle with how to implement or update their contingency plans.
Growing Cyber Risk in the Wake of the Russia-Ukraine Conflict
Over the past few years, the Cybersecurity and Infrastructure Security Agency (CISA) has tracked the activities of malicious hackers, and has found that healthcare and public health increasingly have become prime targets of cyberattacks involving malware (most-often, ransomware), data theft, and the disruption of healthcare services. While we have described the this enhanced risk previously, the ongoing Russian invasion of the Ukraine, and its regional and world economic effect, has, according to CISA just last month, exposed organizations to even greater increases in attacks from state-controlled cyber actors. The American Hospital Association echoed the need for the healthcare organizations to take extra precautions in light of this magnified threat
Detrimental Impacts on Healthcare Organizations
It is a truism that cyberattacks can cause significant operational disruption, financial stress, and even patient harm. Recent experience highlights the fact that the risk of these damaging outcomes has been enhanced by the healthcare sector’s increasing reliance on digital infrastructure and solutions. Many healthcare organizations have implemented specialized and interconnected information technology systems that include electronic health records, e-prescribing solutions, practice management tools, and clinical decision support algorithms — any of which might be vulnerable to a cybersecurity attack. Technology system vulnerability has been magnified during the COVID-19 pandemic which has greatly stimulated healthcare organizations to embrace the Internet of Things and deploy remote monitoring solutions that are also vulnerable to attack.
Healthcare Security Regulations Provide Limited Guidance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides a helpful launching point for healthcare organizations to build out their contingency resilience and recovery policies and procedures. Indeed, such planning is mandated by the HIPAA Security Rule, which is aimed at ensuring that healthcare organizations take steps to safeguard the confidentiality, integrity, and availability of the organization’s Protected Health Information as they expeditiously recover from an attack. Organizations seeking to develop these plans also would benefit from implementing the “Recognized Security Practices” referenced in the Health Information Technology for Economic and Clinical Health of 2021 (HITECH) act. As we previously have described, the HITECH act directs the Department of Health and Human Services to “consider certain recognized security practices of covered entities and business associates when making certain determinations” regarding fines, audit results, or other remedies for resolving potential violations of HIPAA. The adoption of these best practices provides an actionable incentive to healthcare organizations.
The OCCI checklist is designed “to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyberattack”. The checklist has value to organizations of all sizes and complexity—whether a small physician group, a regional urgent clinic, or a national hospital system. To serve these diverse entities, the checklist is separated into ten role-based modules that align with the Incident Command System, while also allowing an organization to refine or modify a module to align with the organization’s size, resources, and capabilities. These role-based modules describe the requisite leadership functions required during the initial twelve hours following a cybersecurity incident:
- Incident Commander, who provides overall strategic direction on all site-specific response actions and activities.
- Medical-Technical Specialist (Subject Matter Expert/Advisor), who advises the Incident Commander or Section Chief on issues related to response; and provides understanding and communicates specific impact and recommendations given their area of expertise.
- Public Information Officer, who serves as the conduit for information to internal and external stakeholders, including site personnel, visitors and families, and the news media, as approved by Cybersecurity, the IS/IT Section Chief and the Incident Commander.
- Liaison, who coordinates external partner communication with PIO, Med-Tech, IS/IT Section Chief
- Safety Officer, who identifies, monitors, and mitigates safety risks to patients, staff, and visitors during a prolonged large-scale outage.
- Operations Section Chief, who develops and recommends strategies and tactics to continue clinical and non-clinical operations for the duration of the incident response and for recovery.
- Planning Section Chief, who oversees all incident related documentation regarding incident operations and resource management; initiates long range planning; conducts planning meetings; and prepares the Incident Action Plan for each operational period.
- Finance Section Chief, who monitors the utilization of financial assets and the accounting for financial expenditures; and supervises the documentation of expenditures and cost reimbursement activities.
- Logistics Section Chief, who organizes and directs the service and support activities needed to ensure material needs for the site’s response to an incident. are available when needed
- Intelligence (IS/IT) Section Chief, who provides technical response, continuity, and recovery recommendations; partners with cybersecurity to inform incident response decisions and activities; and coordinates intelligence and investigation efforts.
Attorneys with Epstein Becker & Green’s Privacy, Cybersecurity & Data Asset Management Group are well-positioned to assist organizations of all sizes through the entire lifecycle of BC/DR policy development, implementation, and response. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker & Green attorney who regularly handles your legal matters, or one of the authors of this blog post.