Responding effectively to a security crisis requires planning, and an article at Hospitals & Health Networks provides checklists to guide that effort.
The article differentiates between a security incident, in which an authorized person gains access to one or more computers, networks or other assets, and a security crisis, in which an intrusion affects the organization’s ability to operate.
That crisis can affect confidentiality, such as a breach of patient-protected data; integrity, in which patient records may be altered; and/or availability of systems for regular business.
One of the first steps: Notify hospital leaders and board members who have the authority—and the budget—to respond, says the author, Chris Williams, chief cybersecurity architect at Leidos Health, a consulting firm based in Reston, Va.
He also outlines the skills, services and other resources that will be required, such as being prepared for a high-stress situation.
“While a cyber crisis is hardly the only emergency that can occur at a hospital, it is one of the few that involves an active adversary who may try to thwart recovery. Encourage your team to be ready. It’s going to happen,” he says.
Ninety-five percent of hospitals responding to a survey by the Department of Health and Human Services’ Office of Inspector General had a written EHR contingency plan, and more than two-thirds addressed HIPAA requirements such as having a data backup plan and an emergency mode operations plan.