The HHS Office for Civil Rights highlighted the importance of an organization having a contingency plan in place to recover after a cyberattack in its March newsletter.
"The purpose of any contingency plan is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event," the newsletter reads, noting a comprehensive plan should outline steps to continue operations and contain damage to property, personnel and data.
HIPAA-covered entities and business associates must establish contingency plans under the HIPAA Security Rule. Here are three requirements for a HIPAA-compliant contingency plan, as outlined in the OCR's newsletter.
1. A disaster recovery plan to restore an organization's protected health data
2. An emergency mode operation plan or a continuity of operations plan to maintain critical functions that protect health data security
3. A data backup plan to routinely copy protected health data to ensure it can be restored in the event of a loss or disruption
To create a contingency plan, hospital leaders should undertake an applications and data criticality analysis to determine what applications and data are necessary for recovery. Hospital leaders must also test their contingency plan to identify and revise any potential deficiencies.
To access the OCR's newsletter, click here.