Business Continuity & Incident Response… or an Unintended Holiday?
By Stephen Trout, , HIPAA Blog, Security, Uncategorized

One of the things you notice about “Old Scrooge” (as opposed to the changed one, post-hauntings) is that he just can’t take a holiday:

“But he was a tight-fisted hand at the grindstone, Scrooge! a squeezing, wrenching, grasping, scraping, clutching, covetous, old sinner! Hard and sharp as flint, from which no steel had ever struck out generous fire; secret, and self-contained, and solitary as an oyster.”

And, “It’s enough for a man to understand his own business… mine occupies me constantly.”

The reason, Marley’s ghost tells him, is his invisible chains – forged “link by link and yard by yard” while chasing a golden idol – instead of receiving the true meaning of the season.  

But we all know the outcome: Scrooge gets an “unintended holiday” to see where it all leads.

What’s the moral? Getting a glimpse of one’s end beforehand is a good thing; it provides a much-needed wake-up call of sorts.

In a healthcare context, the same holds true. You may believe you’re fine with your security and patient data until you foresee the sad result: violations and fines, even lawsuits and potential loss of business. (Wood Ranch Medical is just one cautionary tale).

That’s when Marley’s regret might hit you: “Business? Mankind (ie, the patient) was my business…”

Learning from Past and Future

And if you do get breached (compromised by any cyber attack), like Scrooge, you should entertain the “ghost” that will show you your past practices. A thorough risk assessment will be the starting place to help remedy what was amiss.  

If you haven’t been breached, be thankful, and prepare anyway for a spirit from the future to tell you what could happen, worst case. 

At a minimum, you’ll need a business continuity/disaster recovery plan (with offsite backups), along with a clear understanding of how those backups will be used.

This is a critical part of your incident response plan, especially when you consider that,  

“42% of healthcare organizations surveyed,” as noted by the HIPAA Journal, reported that “an incident response plan had not been implemented, even though having an incident response plan has been shown to shorten the recovery time and reduce the cost of a data breach.”

Have an Incident Response Plan

Most incident response (IR) models, notes Security Officer Pam Nigro of Everly Health, have been reactive – cobbling together an emergency response in the fallout of a cyberattack. Better to have a proactive approach, Nigro says, where “continual monitoring detects anomalies across the organization.” 

A comprehensive, 3-phase IR plan will therefore consist of preparation (of which a risk assessment and C-suite buy-in are part); instrumentation (firewalls, IDS, access-management, etc.); and maintenance (ensuring the tools are working correctly).  

The good news is if you host your ePHI with HIPAA Vault, a BC/DR (Business Continuity & Disaster Recovery) service comes standard. Also standard is our 24/7 monitoring and regular Intrusion Detection and mitigation capabilities. It’s all part of our full plate of managed services.  

So how can our ‘present’ benefit from a look back, and a look ahead? Patients will be cared for, and your practice can continue doing what it does best…

…because not having an IR plan is a bit like Scrooge forgetting his true business, which just might lead to an unintended holiday:

“Business!’ cried the Ghost, wringing its hands again. “Mankind was my business; charity, mercy, forbearance, and benevolence were, all, my business. The deals of my trade were but a drop of water in the comprehensive ocean of my business!”

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.