Security

Your Healthcare Organization’s Been Hacked: Now What?

For healthcare covered entities and business associates, building up defenses to prevent cyberattacks is only half the battle. Here are some steps to consider in the aftermath of an incident.

Jeremy Weiss

Jeremy Weiss is a security engineer for CDW Healthcare.

Last month, health insurer Anthem agreed to pay the Department of Health and Human Services $16 million and take “substantial corrective action” as part of a settlement for HIPAA violations uncovered following cyberattacks that exposed health information for close to 79 million people.

According to HHS, the company failed to take adequate measures to guard itself against hackers. “We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR,” HHS Office for Civil Rights Director Roger Severino said in a statement.

Consider the last part of that statement: OCR expects Anthem and all other healthcare entities to not only monitor for potential attacks, but also react swiftly and decisively if a hacker gets through the cracks.

While much time is spent discussing how organizations can take steps to stay ahead of such attacks, incident response in the aftermath of an attack is just as critical.

Shore Up Your Post-Breach Communication Plan

Organizations can optimize incident response in several ways. For instance, entities such as health systems can develop notification templates to determine ahead of time whom to contact, when and how following a breach. The HIPAA Breach Notification Rule calls on covered entities to notify affected individuals, HHS and sometimes the media “without unreasonable delay” and no more than 60 days after a breach is discovered if 500 or more individuals are affected.

Internal communication about an event is equally vital. While not everyone required to be notified internally may need to take action, they very well could need the information for use at a later time.

Inform and Educate Staff to Improve Response Times

In that same vein, education must not be ignored. Communicating to staff about a specific incident is informative, but teaching employees about the proper ways to both identify and respond to an attack is necessary as well.

Additionally, it’s important for organizations to know which steps they plan to take for different outcomes. In some instances, certain pieces of hardware or software may need to be removed. Having a flexible strategy for who must do what and how, not only can potentially save time, but it could prevent further damage.

A post-incident review is also a critical component of a healthy incident response plan. While hindsight is 20/20, determining what went wrong and when, what lessons were learned and how the response could have been more effective can help to improve preparation against potential future attacks.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using the #WellnessIT hashtag.