How To Prevent A Natural Disaster From Becoming A HIPAA Disaster

Over the past few years, many natural disasters have hit the United States that have had direct impacts on healthcare organizations such as the direct hit on the hospital by a tornado in Joplin, Missouri or flooding that leaked into a hospital in Duluth, Minnesota. What about a loss of power to an organization or bad network connection? Healthcare has also seen a drastic increase in the number of ransomware attacks, which block an organization’s ability to access patient data. When disasters happen and impact access to patient information, it is easy for the healthcare organization to panic and not know what to do. We all know how vital it is to treat patients with the most up to date and current information so planning becomes essential to prepare your organization for disasters and emergencies.

The HIPAA Security Rule requires that healthcare organizations create a contingency plan to follow in the event of a disaster or loss of access to protected health information. Under the HIPAA Security Requirement, a contingency plan should consist of the following:

• Data backup plan (for all systems with protected health information)
  • Document the process in which your data is being backed up. Include the location of the backup, process for backup, and frequency of back up. If you are using a third-party vendor to backup data, an organization should have a process to ensure successful data backups and define a process for failed backups.
• Disaster recovery plan
  
  • Once the emergency situation is over, the disaster recovery plan defines the steps the organization must take to restore data and systems to original operating status. This will include information on what information must be added back into the system and the specific order of data to be restored.
• Emergency mode operations
  
  • Define a process to ensure that critical business functions occur when the emergency is happening and the information is unavailable. This includes information on how data may be accessed, how data will be documented with system unavailability, what additional security measures will be used, whom to contact and when, and how the organization will function to provide patient care. The emergency mode operations may look different depending on the disaster.
• Testing and revision procedures
  
  • The contingency plan should be regularly tested and the appropriate updates made. The revised contingency plan should be provided to the appropriate people within the organization.
• Applications and data criticality analysis
  
  • Create a list of each of the different systems that house protected health information within the organization and rank the criticality (importance) to the organization. Your output for this step is a listing of every software application that has PHI and the importance of the daily operations of your organization. The goal of this step is to understand the data and know what systems are more critical to get up and running over others.

The other big task with a contingency plan is to train the workforce. Your workforce should know and understand the processes in the event that the information becomes unavailable or your network is blocked off by a hacker. Workforce members should feel confident and comfortable with the process of working in emergency mode and having access to minimal, if not no information.

A contingency plan doesn’t have to be complex, but it should be written. In a recent discussion with a Senior Underwriter for Cybersecurity Insurance, he stated that he asks for the organization emergency preparedness plan when assessing and processing a cybersecurity insurance quote.

Don’t assume nothing will happen to your organization. Some plan is better than no plan so start having the conversation and creating the processes now. Also, make sure you take time to test the process to ensure that it works effectively for your organization. You want to feel confident regarding your plan so that if the unthinkable happens, you are prepared.