Establishing Your Practice's Cybersecurity Contingency Plan
If a healthcare organization wants to be considered HIPAA-compliant, they must meet the rule’s strict standards regarding the protection of personal health information (PHI). One aspect of these exacting standards is having an efficient and well-rounded cybersecurity contingency plan. Given the seemingly never-ending rounds of cyberattacks, phishing attempts, and hacking, it’s no surprise that having such a plan in place is of paramount importance.
But how should your practice go about establishing a cybersecurity contingency plan?
According to industry experts, addressing the following components will help your organization lay a stable base for such a plan: data backup, data recovery, emergency mode plans, and testing and revision procedures.
Per HIPPA regulations, every practice is required to have a data backup plan. Assessing the following components will help ensure that yours is as robust as possible:
- What data to backup: Practices should consider backing up other relevant data besides what can be found within an EHR’s parameters. Claims data, benchmarking or quality reporting data, and practice personnel data come to mind.
- What type of storage to employ: Even though cloud-based EHR systems are prevalent in today’s modern age, having a physical, tangible copy of important data remains important. For smaller practices, something as simple as a fireproof safe or bank lockbox can be options, while larger organizations may find it necessary to shell out the funds for a vendor to come in and store data off-site.
- What type of backup to employ: There are 4 types: full (everything as it looks on the computer at a specific time), incremental (any changes since the last backup), differential (any changes since the last full backup), or mirror (exact copy from one to the other). A combination of the 4 is often the best route to take.
- How often should data be backed up: Dictated by a practice’s size and the amount of data it deals with, common timelines include: quarterly, monthly, weekly, daily, or even several times a day.
Additionally, storing backup data in the cloud allows for automatic data transfer, lessening the chance of staff stress or user error when it comes to transmitting data.
RELATED: How to Create a Cybersecurity Plan on a Budget
With a good backup routine in place, data recovery becomes a much simpler process. That being said, there are four aspects that every practice needs to address.
- Hardware: Does your practice rely on in-house or cloud-based? Besides the computers staff use, what other items are relied on for data gathering and storage: printers, diagnostic equipment, etc. All of these items need to be considered when developing a recovery plan.
- Software: Most practices rely on more than just EHR software for their day-to-day activities. Establishing if other software used has restoration processes or integrations can help close gaps of potential data loss.
- Process for restoration: Having a step-by-step guide for the restoration process can aid your practice in determining which data needs to be prioritized and which data is of less consequence.
- Data: Gauging the amount of data affected by a potential cybersecurity attack is largely dependent on your practice’s EHR vendor. Consulting your point of contact with the vendor to determine if the entire system would need to be restored or replaced after an attack is something that every practice should do.
Emergency Mode Plan
Think an “apocalypse now” type of situation occurs. Your practice will need to establish what is the minimum amount of access they’ll need to still be able to function as a healthcare provider.
- Need Vs. Security: Identifying absolutely necessary patient information needed to still be able to provide services to patients falls neatly into the “need” category. Asking questions like: is there a secure way to access EHR and patient billing information even if the system is compromised? If ePHI is lost or held hostage, is there a process that staff members can resort to to avoid having to shut down the practice until the issue is resolved?
- Alternative security measures: If there’s no practice access to a secure network, what alternative security measures can be taken? Does the vendor provide a virtual private network (VPN) that can be used on in-house mobile devices?
- Personnel: Staff members should receive thorough training in the event of a catastrophic event. Training can be implemented either by the vendor or through the practice’s own initiatives; the most important thing is that it occurs, regardless of who is leading it.
Testing and Revision Procedures
While not deemed “requirements” under HIPAA compliance laws, implementing testing and revision procedures is highly recommended for all healthcare providers. Legally, they must be carried out or, if a practice finds themselves unable to do so, documentation of why such parameters were not put in place must be explained in writing. Examples of common testing and revision procedures include:
- Testing backup systems: Regularly testing backup systems can help practices avoid being caught off guard by a breach or system crash.
- Conduct mock scenarios: Practice makes perfect, and one of the easiest—and safest—ways to ensure your system is up to par is to perform routine mock scenarios, ranging from minor setbacks to full system liquidation.
- Review results: After testing the system and performing mock scenarios, review the results. This will clarify which procedures work and which ones do not well before an actual emergency situation arises.
- Prioritize: Determine which data and systems are most important when operating under emergency situations, and make those a priority when it comes to backing up and restoring them.
With these steps in place, a practice can now successfully document their procedures, making a concrete plan for surviving a cybersecurity event. Protecting patient and practice data is of paramount importance, no matter if a practice has 2 providers or 20. With an efficient cybersecurity contingency plan in place, the risk of lost or compromised data is significantly decreased.