How to protect sensitive business information from cyberattacks

Establishing and maintaining effective systems to protect sensitive personal data and confidential business information from outside interference while ensuring that privacy interests are protected are among an organization’s highest priorities. Executing, tracking, and continually updating these preventative practices defines an organization’s first line of defense. But what if an organization actually experiences a breach? Is there any guidance that might be available, particularly for healthcare organizations, to manage business continuity and disaster planning (BC/DR) aimed at ensuring resilience and recovery in the event of a potentially disastrous cyberattack ?

Recently, the Health and Public Health Sector Coordinating Council (HPHSCC) released a Business Continuity and Cyber ​​Incident (OCCI) Checklist to help healthcare organizations maintain business continuity while recovering from a cyberattack. This guidance comes at a critical time when cybersecurity risks are increasing for US-based healthcare facilities. Indeed, a dramatic increase in zero-day attacks, and ransomware exploits in particular, coupled with increased recovery costs from cyberattacks, underscores that resilience, continuity and disaster planning are now more important than ever. never. Nevertheless, while it is clear that in healthcare “an ounce of prevention” can be worth “a pound of cure”, many organizations are still struggling to implement or update their emergency plans. .

Growth of cyber risk in the wake of the Russian-Ukrainian conflict

Over the past few years, the Cybersecurity and Infrastructure Security Agency (CISA) has been tracking the activities of malicious hackers and has found that healthcare and public health have increasingly become primary targets of cyberattacks involving malware ( most commonly ransomware), data theft, and disruption of health services. Although we have previously described this increased risk, the ongoing Russian invasion of Ukraine and its regional and global economic effects have, according to CISA last month, exposed organizations to an even greater increase in cyber attacks. state-controlled actors. The American Hospital Association has echoed the need for healthcare organizations to take additional precautions in light of this magnified threat.

Adverse impacts on healthcare organizations

It’s a truism that cyberattacks can cause significant operational disruption, financial strain, and even harm to patients. Recent experience highlights that the risk of these detrimental outcomes has been heightened by the increasing reliance of the healthcare sector on digital infrastructure and solutions. Many healthcare organizations have implemented specialized and interconnected information technology systems that include electronic health records, e-prescribing solutions, practice management tools and algorithms to help clinical decision, all of which could be vulnerable to a cybersecurity attack. The vulnerability of the technological system has been amplified during the COVID-19 pandemic, which has greatly stimulated healthcare organizations to adopt the Internet of Things and deploy remote monitoring solutions that are also vulnerable to attacks.[1]

Health care safety regulations provide limited guidance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides a useful starting point for healthcare organizations to develop their emergency resilience and recovery policies and procedures. Indeed, such planning is mandated by the HIPAA Security Rule, which seeks to ensure that healthcare organizations take steps to protect the confidentiality, integrity, and availability of the organization’s protected health information while that they recover quickly from an attack. Organizations looking to develop these plans would also benefit from implementing the “Accepted Safety Practices” referenced in the HITECH (Health Information Technology for Economic and Clinical Health of 2021) Act. As we previously described, the HITECH Act directs the Department of Health and Human Services to “consider certain accepted safety practices of covered entities and business associates when making certain decisions” regarding fines, audit results or other remedies to resolve potential violations of HIPAA. . Adopting these best practices provides a tangible incentive for healthcare organizations.

The OCCI Checklist is designed “to provide a flexible model for operational staff and senior management to respond to and recover from an extended enterprise outage due to a severe cyberattack.” The checklist is useful for organizations of all sizes and complexities, whether it is a small group of physicians, a regional emergency clinic or a national hospital system. To serve these various entities, the checklist is separated into ten role-based modules that align with the Incident Command System, while allowing an organization to refine or modify a module to align with the size, resources and capabilities of the organization. These role-based modules describe the leadership functions required during the first twelve hours following a cybersecurity incident:

  • Incident Commanderwhich provides overall strategic direction on all site-specific response actions and activities.

  • Medical-technical specialist (subject matter expert/advisor), who advises the Incident Commander or Section Chief on matters related to the incident; and provides understanding and communicates specific impact and recommendations based on their area of ​​expertise.

  • Public Information Officerthat serves as an information channel to internal and external stakeholders, including site personnel, visitors and families, and the news media, as approved by Cyber ​​Security, Head of IS/IT Section and the incident commander.

  • Connectionwho coordinates communication with external partners with PIO, Med-Tech, head of IS/IT section

  • Security officerthat identifies, monitors and mitigates risks to the safety of patients, staff and visitors during an extended, large-scale outage.

  • Head of Operations Sectionwho develops and recommends strategies and tactics to continue clinical and non-clinical operations for the duration of incident response and for recovery.

  • Head of Planning Section, who oversees all incident documentation regarding incident operations and resource management; initiates long-term planning; organizes planning meetings; and prepares the incident action plan for each operational period.

  • Head of Finance Section, which monitors the use of financial assets and the recording of financial expenditure; and oversees the documentation of expenses and cost reimbursement activities.

  • Head of logistics section, which organizes and directs the service and support activities necessary to meet the material needs of the site’s response to an incident. are available when needed

  • Head of Intelligence Section (IS/IT), which provides technical response, continuity, and recovery recommendations; partners with cybersecurity to inform incident response decisions and activities; and coordinates intelligence and investigative efforts.


[1] See Journal of Oral Biology and Craniofacial Research (January 30, 2021) – Internet of Things (IoT) Enabled Healthcare Helps Meet Challenges of COVID-19 Pandemic

©2022 Epstein Becker & Green, PC All rights reserved.National Law Review, Volume XII, Number 139