When the fire department shows up at a fire, every firefighter on the team knows exactly what their role is and who to listen to for commands. They have practiced using multiple scenarios to be ready for surprises. Skilled professional emergency responders never fight a disaster on the fly – they’ve rehearsed it over and over and learned how to minimize damage and loss.
Healthcare organizations can learn from the same playbook developed for managing natural disasters. A cyberattack is similar to a natural disaster and can cause enormous damage – data locked and stolen, patient care disrupted and operations stalled for weeks. But you can avoid the worst effects and stay operational by planning ahead. A new toolkit for healthcare organizations shows how.
A Checklist to Manage Crisis Response and Recovery
On April 29, the Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) published the “Operational Continuity-Cyber Incident (OCCI)” checklist. It mirrors both the incident command system (ICS) and the hospital emergency incident command system (HEICS), both of which have been used in emergency response throughout the U.S. since at least the late 80’s. This new checklist focuses on cybersecurity response specifically, and may be used by any size or type of healthcare organization.
HSCC says the toolkit “provides a flexible template for operational staff and executive management of healthcare organizations to respond to and recover from an extended enterprise outage due to a serious cyberattack. Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity, and capabilities.”
Heightened Risks Require More Planning
Healthcare has been hit hard by cyberattacks in recent years, and the risks continue to grow. Recently the war in Ukraine has heightened cybersecurity risks, with warnings from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the American Hospital Association during January and February. In late April, CISA once again issued an alert about Russian state-sponsored cyber threats to critical infrastructure. CISA urged critical infrastructure organizations to patch all systems, secure Remote Desktop Protocol (RDP), and implement multifactor authentication.
Managing a cybersecurity attack that threatens continuity of operations is a complicated task requiring teamwork and coordination among a broad range of skills. The checklist is organized based on various roles within an organization. For example, an “incident commander” should be appointed to provide “overall strategic direction on all site-specific response actions and activities.”
- The incident commander first identifies the scope of the incident and establishes a process for coordinating with IT and cybersecurity teams. Within the first 12 hours, the checklist suggests that organizations activate downtime plans and communicate with partner organizations about downstream impacts.
- Meanwhile, the assigned medical-technical specialist should engage with risk management and legal experts to advise the incident commander on appropriate response measures and compliance actions.
- The public information officer serves “as the conduit for information to internal and external stakeholders, including site personnel, visitors and families, and the news media,” the checklist explained. The public information officer should receive briefings and develop internal and external communications and crisis communication plans. The officer should also collaborate with public relations (PR) professionals and provide information to media outlets.
- Other suggested roles included a liaison, a safety officer, a finance section chief, and a logistics section chief to perform various recovery duties. The roles accounted for recovery time objectives, communications, and even ensuring that food and water would be available for patients, staff, and visitors.
HIPAA Risk Management Includes Contingency Planning
HIPAA requires covered entities and business associates to prepare a contingency plan to protect the availability, integrity, and security of data during unexpected negative events, no matter the cause. The recent HSCC checklist dovetails into your regular HIPAA compliance program by offering a flexible structure to organize and coordinate a cybersecurity recovery plan. The checklist is not mandatory – it’s a guide you can use to strengthen your response, safeguard your operations and protect patients. Add it to your arsenal to fight back against cyber crime.