When vendors have incidents that disrupt their operations, it’s like having ghosts haunt a business’s continuity plan, just waiting to make an eerie appearance. That’s why it is crucial for businesses to include vendor-related security incidents or downtime in their business continuity plans. One company’s nightmare can be contagious to its customers.
In this episode:
Are Nightmares Contagious? – Ep 430
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[01:26] Does HIPAA require business continuity plans?Yes, but you will find it referred to as “Emergency Mode of Operation.” Somewhere down the line the terminology changed, but Business Continuity and Emergency Mode of Operations are essentially the same – they define how you will maintain business operations during a disruption or crisis. Business continuity plans go hand in hand with incident response plans and disaster recovery plans. At the time you identify an incident has occurred, you will break out your incident response plan. At some point you will have all three of these plans operating simultaneously at some level.
Are Nightmares Contagious?
[04:54] Most organizations create their incident response, business continuity and disaster recovery plans around the concept of their own organization being involved in some type of incident. But, does your incident response plan include what happens when one of your key vendors is attacked or shut down? Their nightmare becomes your nightmare at that point.Henry Schein’s Nightmare
Henry Schein Provides Information on Cybersecurity Incident
Henry Schein was attacked, but it did not affect their EHR software, which is one line of services they provide. However, another line of business they have is providing supplies, healthcare provider supplies. Their clients aren’t able to get their supply orders in or get responses from emails that they’ve sent to the company. So, it seems that their attack was some sort of email attack because it has affected their ability to fill orders, email them and communicate with their clients, other than via phone calls. Do you even open their emails when you do get them? How can you be sure they aren’t spreading the infection to your systems via email? You will need to be super leery of any emails, any attachments and links that come in them from Henry Schein staff.
So, most companies today operate with “just in time” inventories. They don’t have huge inventories of supplies on hand. They order them periodically to restock supplies. Henry Schein’s clients are now having to order supplies from alternative vendors, which is another issue to manage, because Henry Schein is only filling supply orders for emergency, life or death situations. Their nightmare attack is contagious to their clients.
Flaw in the Plan
[19:03] So, what if you have a backup plan, and you restored data, but you lost the last 24 hours of records in the restore. This is where knowing the Restore Point Objective (RPO) and Restore Time Objective (RTO) for each of your backups comes into play. It is crucial to know these two numbers. Your RPO can help you understand how much data might be lost when you restore the latest backup. Knowing often data is backed up and how much time between the last backup and the next is how much data could potentially be lost – the data between the restore point and BOOM!Your recovery time objective gives you how long it is going to take to recover from your backups. Many people think that they can pay $50/month for backup and be able to restore their data in minutes. That would be a wrong assumption. So you need to plan for downtime accordingly, as well as the restore point. So while you’re down, you can have your staff doing things on paper. But, if you know your restore point is gonna be 24 hours back, you know that you are going to also need to recreate all of those other things or you lose those records.
That brings us to another question – Is this something you’ll have to report to OCR? The HIPAA Security Rule says you not only have to protect the confidentiality of PHI, but also the availability and integrity. In this case, you will need to evaluate whether or not you need to report this to OCR.
Also, you need to reach out to your cloud vendors and ask these backup questions. Many times, these bigger organizations say they back up your data, but they are doing so in case there is some mass outage on their end, not to backup just one client’s data from 2 days ago. In these cases, you will need to evaluate having a separate third party backup of your data.
Oops, forgot something
[27:35] What if you restored everything easy peasy and everything is back to normal, except no one backed up the records created on this one medical device server. Is that something to report to OCR? First, this is the definition of a failure to do a complete and thorough risk analysis. Yes, you have to fully evaluate what was on the medical device’s server to determine whether or not you have to report it to OCR…. How many records were on the server? Maybe you have to determine how long you have been using the server and if it was ever backed up to even try to come up with that number of records. Was the vendor supposed to back it up? Does your IT provider even know anything about this server? And so on…Allscripts’ Ransomware Attack
[30:05] AllScripts was down for weeks in 2018 due to a ransomware attack. The cloud version of their EHR was hit hard and was shut down. others it was only some things. It also impacted services that the server version connected to in the cloud that were run-in the cloud. So, parts of the server version systems were down as well. Still, some customers utilize the server version of the EHR and have Allscripts backup their data so that if their server goes down, Allscripts can spin up the cloud version of the EHR and be right back in business. In this situation, that wasn’t possible. So, basically their recovery plan was down.Customers describe the impact of the Allscripts ransomware attack
This article includes blurbs of what customers had today about the Allscripts ransomware attack and how it impacted them. Some comments from Allscripts customers conveyed how this incident affected patient safety and patient care for their practice, how it was embarrassing to them as a practice even though they did not cause this, how they were being forced to provide sub-par patient care and how communication was lacking during this process. Needless to day, Allscripts’ was dealing with a nightmare situation, but it quickly spread to their customers.
Listen folks, moving your systems to the cloud will NOT make you more protected and secure from these types of threats. It is simply shifting the risks and liabilities. You are NOT abdicating those risks completely away.
Financial Account Info Leaked in Cyber Attack
[39:26] AvidXchange, a major financial vendor based in Charlotte, NC, has a breach and doesn’t tell you about it for 7 months. Someone has had customer information, account numbers and PIN numbers were breached for 7 months. Reports of money being drafted out of bank accounts unbeknownst to the account holder. In some situations the money was not able to be recouped.Bank account numbers & PINs leaked in cybersecurity attack at Charlotte-based AvidXchange
So, needless to say, the bank’s cyber attack was contagious to many customers. And if that’s not scary enough, this attack happened 7 months before the bank disclosed it to the public. Wow!
It is clear that nightmares can be contagious! It is essential to have a comprehensive business continuity plan that considers incidents vendors might have, not just within your own organization. Incident response is an ongoing process that requires assembling the right people and resources and having a well-executed plan in place.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
