Incident Panic to Plan for SMB Execs – Ep 488 

Cybersecurity incidents can feel like a punch in the gut, but with the right plan, you can roll with the hits instead of flailing in panic. In this episode, we’re diving into executive strategies for tackling the unexpected, from building response teams to keeping business operations afloat when chaos strikes. Along the way, we also cover a recent corrective action plan that serves as a cautionary tale for getting your protocols in order before trouble comes knocking. This is your go-to guide for staying cool when the heat is on!

In this episode:

Incident Panic to Plan for SMB Execs – Ep 488

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

Holy Redeemer Hospital Resolution Agreement and Corrective Action Plan | HHS.gov

Quote by OCR Director Melanie Fontes Rainer in the settlement announcement was:

“It is imperative that health care providers take their duty to protect patient privacy seriously and follow the law. Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.”​

Summary of the Settlement

• Incident: The complainant stated that she had requested that Holy Redeemer send one specific test result, unrelated to her reproductive health, to a prospective employer. Holy Redeemer Family Medicine (HRFM) impermissibly disclosed a patient’s protected health information (PHI) on September 27, 2023, including reproductive health details, to a prospective employer without the patient’s authorization. HHS received a complaint and then notified HRFM of an investigation on November 1, 2023.
• Findings: The patient requested only a specific test result to be shared with her employer, unrelated to reproductive health, but the entire medical record was disclosed instead.
• Resolution: HRFM agreed to a settlement of $35,581 with HHS OCR and a CAP.
• Corrective Actions:
  • HRFM will implement a Corrective Action Plan (CAP) monitored by OCR for two (2) years.
  • Key actions include:
    • Submitting a breach notification report to HHS.
    • Revising and implementing HIPAA-compliant privacy policies and procedures.
    • Training workforce members on privacy protocols.
    • Submitting periodic compliance reports to OCR.

Corrective Action Plan (CAP) Highlights

• Policy Overhaul: HRFM must develop and revise privacy policies to comply with HIPAA regulations. These policies must be reviewed and approved by OCR.
• Workforce Training: All staff must undergo training on approved privacy policies, including those addressing PHI use, disclosure, and breach notification.
• Monitoring and Reporting: HRFM must report any violations of its privacy policies, undergo regular audits, and provide annual compliance reports to OCR.
• Retention and Documentation: All documents related to the CAP must be retained for six years for potential OCR review.

Incident Panic to Plan for SMB Execs

From Panic to Plan: Executive Strategies for Handling Cybersecurity Incidents | Health Sector Coordinating Council

The Health Sector Coordinating Council’s “Cyber Incident Response Executive Checklist” offers crucial guidance for healthcare executives to effectively manage cybersecurity incidents. Here are five key areas to focus on:

1. Incident Response Preparedness
   • Establish a Dedicated Response Team: Identify and train a cross-functional team responsible for managing cyber incidents.
   • Develop and Test Response Plans: Create comprehensive incident response plans and conduct regular exercises to ensure readiness.
   • Pre-Engage Cybersecurity and Insurance Partners: Secure agreements with cybersecurity firms in advance to expedite response efforts during an incident.
2. Business Continuity Planning
   • Assess Operational Dependencies: Understand how critical services and processes interconnect to prioritize restoration efforts.
   • Prepare for Extended Downtime: Develop strategies to maintain essential operations during prolonged system outages.
   • Ensure Regulatory Compliance: Identify and fulfill all necessary reporting obligations to federal, state, and local authorities during incidents.
3. [32:09] Communication Strategies
   • Develop a Crisis Communication Plan: Establishing protocols for a crisis communication plan for sharing information with internal and external partners, including patients, healthcare organizations, vendors, staff, and the public.
   • Tailor Messages to Stakeholders: Create communication templates for various audiences, including staff, patients, partners, and the public.
   • Coordinate with Law Enforcement: Understand how involvement with law enforcement may impact public communications.
   • Communicate regularly: Provide status updates, specific instructions, and foster a culture of teamwork, empowering staff to continue performing their roles effectively. Also, alert partner organizations to immediate risks posed by the incident.
4. Legal and Regulatory Considerations
   • Review Extortion Policies: Discuss and establish policies regarding responses to ransom demands, including decision-making authority.
   • Manage Legal Obligations: Work with legal counsel to navigate the complexities of regulatory requirements and potential liabilities.
5. Supply Chain and Vendor Management
   • Maintain Vendor Contacts: Keep an updated list of critical vendors and their contact information for swift coordination during incidents.
   • Assess Third-Party Risks: Evaluate the cybersecurity posture of vendors and incorporate them into incident response planning.

By proactively addressing these areas, healthcare executives can enhance their organization’s resilience against cyber threats and maintain patient safety while ensuring continuity of care.

When it comes to cybersecurity, hope isn’t a strategy, and panic isn’t a plan. We leave you with a clear reminder: preparation is the key to navigating the storm. Whether it’s defining incidents, prioritizing critical systems, or wrangling your vendor relationships, every step you take now is one less fire to put out later. After all, if you wouldn’t drive without a seatbelt, why run a business without a plan for when cyber trouble comes your way?

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.