.st0{fill:#FFFFFF;}

Podcast

10 Roles of Operational Continuity – Ep 355 

 May 13, 2022

By  Donna Grindle

Share0
Tweet0
Share0

Incident response planning is important to every business. You don’t want to figure out how to manage the business and respond to an incident on the fly. These plans should be reviewed and updated regularly. Today we review a brand new guide from the Healthcare & Public Health Sector Coordinating Council on Operational Continuity – Cyber Incident.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

10 Roles of Operational Continuity – Ep 355

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

PriSec Boot Camp

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[03:43] David recently talked with a physician who insisted that his practice not only takes privacy and security seriously, but also the practice’s HIPAA compliance requirements seriously. He goes on to say that he, himself, is a HIPAA expert and that he thinks he has this HIPAA thing covered.

If you are a regular listener, you know those are two big red flags for us… “HIPAA expert” and “got this HIPAA thing covered.”

The doctor then goes on to tell David three different ways in which he was violating HIPAA, even though he didn’t know he was violating HIPAA. But he’s an “HIPAA expert,” right?

The point is be careful how quickly you can get to willful neglect. If you profess that you are an expert in HIPAA, but are not doing everything you’re supposed to do to comply with the law. Yeah, that can be seen as willful neglect.

Regardless of your profession or hobby, it’s not easy to reach a level of “expert.” In this case, the doctor has many other responsibilities and things to do to stay up to date with just being proficient as a doctor or surgeon. Being also an expert in HIPAA too is unlikely.

405(d) Tip of the Week is the whole episode

10 Roles of Operational Continuity

[12:15] The folks at the Healthcare & Public Health Sector Coordinating Councils (in which 405(d) is a tiny piece of) have put together an Operational Continuity for Cyber Incidents guide. This was just released this month… hot off the press!

Operational Continuity – Cyber Incident (OCCI)

This Operational Continuity-Cyber Incident (OCCI) checklist is intended to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyber-attack.

This is a living document. It is not static. So, you have to tweak this document based on what is reasonable and appropriate in your environment and is available to you. Just like one of the key elements of an incident response plan is a post mortem review, you should constantly review how you apply this document in your organization and update it with new information.

The checklist is called Response Guideline for Cybersecurity/Technology System Prolonged Massive Disruption or Outage. Keep in mind that this document is a checklist of activities needing to be addressed during the first 12 hours of a cybersecurity incident. It is organized by job roles. So, it is important to assign each role to someone within your organization. The items in the list are things that have to all happen at the same time. That’s important when you assign roles because some people might be responsible for more than one role.

As stated in the checklist:

A prolonged massive disruption meets or has the potential to meet any of the following:

  1. Patient safety and/or member service impacts
  2. Large-scale clinical workflow, patient care, and/or member service impacts
  3. Implementation of preventative defenses that could impact clinical workflow

The different roles are activated as you need them and anything you choose not to activate should fall back on the top role of Incident Commander. Here is a list of all the roles and what they are responsible for.

  1. [21:17] Incident Commander – Provides the overall strategic direction on all actions and activities. Defining what’s going on, who you need and where you need them.
  2. [37:08] Medical-Technical Specialist (Subject Matter Expert/Advisor) – Advises the Incident commander on issues related to response. You should have somebody that’s clinical or medical that understands how the incident impacts the business’ workflow, how it impacts patients and their care and what the technical pieces of it are. These subject matter experts are broken down into three groupings:
    • Cybersecurity – These people work with IT to contain the spread of malicious activity, perform forensics and identify impacted systems
    • Risk Management/Regulatory & Compliance/Legal – This person is looking at the programs that are in place, like your loss prevention and your risk management and how everything’s responding. They might be activating the cyber insurance policies, determining what other policies and procedures need activating, assessing any extortion components that might be in play, determining whether digital forensics is needed, getting the process for non-cyber related claims started, documenting everything that is taking place for compliance purposes and notifications for any other regulatory agencies, etc. Of course, they too will be talking with the Incident Commander and letting them know what is happening.
    • CNO/CMO/Clinical Leader/Safety & Quality – Here someone will provide advice on issues with ethical implications, understand and communicate clinical impacts to inform waivers, contingency care and crisis standards of care activation and coordinate with medical teams of the things they need.
  3. [45:48] Public Information Officer – This role involves providing a centralized place where the organization is informing its employees, visitors, clients, patients, stakeholders, media, etc of what is going on so that everyone gets accurate information.
  4. [47:05] Liaison – Different from the Public Information Officer, this person is coordinating with external partners and agencies regarding the incident. This can help stop the rumor mill from getting out of hand.
  5. [47:47] Safety Officer – Identifies the safety risks and impact of the event. This involves risks and impacts to services you provide, your staff, visitors and/or patients, resources and systems in the organization (HVAC, labs, temperature controlled systems, etc), security systems, etc.
  6. [50:26] Operations Section Chief – This involves how you will continue to operate the business during an incident. It includes paying staff, billing for services, writing checks when you need to and to keep the clinical parts working as well.
  7. [52:00] Planning Section Chief – This person is responsible for preparing the plans and communicating those plans regarding operations of the business during an incident. Things like having an actual plan in place so that you know how long the business can operate with limited capacity during an incident, where are lines drawn as far as keeping things up and running, how long can I operate using just paper, how long can you operate without having any kind of money coming in, knowing who’s going to follow up and make sure things are being documented and making sure that everybody’s doing what they’re supposed to be doing.
  8. [53:41] Finance Section Chief – This role involves making sure that money is there for financial expenditures, cutting checks and supervising documentation of expenditures and cost reimbursement activities, making sure credit cards are available to buy equipment that may be needed on the fly, etc.
  9. [54:05] Logistics Section Chief – This person is responsible for providing support services to those who are involved in the incident, making sure staff get rest, stay hydrated and fed. They also make sure as resources are needed, they are ready and available.
  10. [55:22] Intelligence (IS/IT) Section Chief – The head of your IT and technical response teams. This person should know the network infrastructure and is able to help track the scope and the progress from a big picture standpoint with the technology and making sure that everybody has what they need and everybody understands the timeline.

So, does your incident response plan include all these roles and responsibilities? Might be time to dust it off, review and update it.

Go to top

This document is a great resource to help you identify the areas that you need to consider and document in your response plans. It contains a checklist with lots of information for making sure you have everything together. This is not one of these things you pull out of the drawer when something happens. It’s too late at that point. You can’t create this on the fly. Do it now before something happens.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: