Caught off guard without a back up plan in place puts a regional hospital in jeopardy when a cyberattack happens. Taylor Regional Hospital (TRH) in Kentucky has been without electronic systems and regular phone lines for two and a half weeks as of today. TRH first reported the cybersecurity incident on January 24 and systems have been down since then. Patient care is suffering.
An urgent notice on the THR website on February 10 reads:
TRH’s systems, including our phone systems, are currently down as we investigate a cyber security incident. We are working to restore our systems quickly and safely. In the meantime, TRH continues to provide quality care to our patients. We appreciate the community’s patience and understanding, and we apologize for the inconvenience caused by this event.
TRH also notes that patients who are receiving lab draws for outpatient services should expect longer wait times, and routine outpatient labs will only be performed during limited hours. In addition, all patients will be required to bring a written lab order.
The hospital is also unable to schedule COVID testing and will conduct tests on a first-come, first-serve basis. TRH has not yet provided an estimate for when all services may be operational again.
Contingency Planning is Required by HIPAA
Covered entities and business associates must have “Administrative, Physical and Technical Safeguards” to ensure the confidentiality, integrity, and security of electronic protected health information (PHI) they create, receive, maintain or transmit.
HIPAA Risk Management Includes Contingency Planning
When an organization conducts HIPAA Risk Analysis, contingency planning is included. The Security Rule Checklist in The HIPAA E-Tool® asks whether a plan and procedures for responding to an emergency are in place. The E-Tool also includes a template to complete a contingency plan, scalable to an organization’s circumstances.
A contingency plan is one of the Administrative Safeguards required by HIPAA. The plan must have policies and procedures for responding to an emergency that damages systems or physical locations containing PHI. A cybersecurity incident that shuts down systems is an emergency, just like a natural disaster, flooded pipes or a power outage. Without a contingency plan, the system downtime can extend longer and cost far more, placing patient care and PHI at risk for longer.
There is no “one size fits all” contingency plan, and HIPAA rules recognize that contingency planning will be scalable based upon factors including an organization’s most recent Risk Analysis, its facility location(s) and resources available in its community.
Avoid the enormous costs and risks to patient care caused by system downtime by planning ahead. Weeks of downtime may take months or years to recover from and get back to normal. Pay attention to prevention and planning instead.