The worst thing healthcare organizations can do when an IT incident occurs is downplay it. "They don't necessarily ignore it, but they try to minimize it," says Nic Cofield with Jackson Thornton Technologies. "They need to not only get the system back up and going, but assess if they're dealing with a HIPAA incident, because underestimating the impact of the incident or delaying a response can be very costly."
In May, a Tennessee diagnostic medical imaging services company paid a $3 million penalty to settle an incident exposing over 300,000 patients' protected health information in 2014. The company had been told of the potential breach by the FBI and the Office of Civil Rights (OCR), which oversees HIPAA violations, but postponed investigating for several months, which delayed notification to those patients affected. The penalties mounted when OCR's investigation found that Touchstone Medical Imaging had failed to document a thorough risk analysis to their sensitive data as required by HIPAA.
"The OCR have said point blank that if you are not sure you've had a breach, you have to treat it like you did have one," says Robbie Morris with C Spire. "You are guilty until proven innocent in these situations."
"Covered entities must respond to suspected and known security incidents with the seriousness they are due," OCR Director Roger Severino says. "Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure."
The second thing healthcare organizations often get wrong is allowing activity logs for the network to overwrite rather than be stored. Because this data could identify whether or not an IT incident resulted in a HIPAA-reportable breach, and therefore protects the organization from unwarranted penalties.
"It's simple in saying it, but not executing it," Morris says about archiving activity logs, estimating about 80 percent of his healthcare clients do not store the records for nearly long enough. "But how do you do an incident investigation if you don't have an activity log?"
Morris warns that short-term archives of the logs may be useless. Malicious actors can be in a system for six or nine months before their presence is detected. "If the logs are overwritten in 30 or 60 days, you have no idea how they got in and what they did," he says.
HIPAA does not mandate a specific time span for archiving activity logs, but Morris recommends five years based on OCS's activities. "Current settlements and investigations by the OCS are from incidents three to seven years ago," he says.
Analyzing the logs in the case of an IT incident can often be performed by the organization's cyber insurance. "I've seen it work and be an invaluable asset to ending the recovery process," Cofield says. "In addition to helping with data forensics, some policies aid in publicity, crafting notifications, and providing legal assistance. Have a conversation with your insurer to understand what different policies might cover and what yours will cover."
Staff and physicians can also benefit from a conversation on what recovery from an IT incident will look like and how long it will take for normal operations to resume. "Get everybody on the same page," Cofield says. "There are too many situations where recovery time is not regarded as sufficient, especially at the physician level. Spell out the cost and time for recovery on each option, along with what the extra time to recover may cost on cheaper up-front options. Getting some clarity on this will make the situation less stressful.
"Now do what I call a tabletop. Bring some of the staff together and move beyond a conversation into playing out the IT scenario, such as a ransomware incident. Find out where you are and where your gaps might be, especially in the documented protocols and how long certain steps may take
"The more incidents you and your staff play through and reach an understanding how to respond, then you will be better prepared when an incident occurs. This is necessary because cybersecurity is a moving target and it's tough to stay ahead of it."
