You know how we love to pass along guides and resources that can help you improve your organization’s privacy and security programs. Today, we are going to review a recent resource guide put out by HHS’ ASPR TRACIE office called Healthcare System Cybersecurity – Readiness and Response Considerations. This guide is packed with very helpful tips, best practices, and resources surrounding cybersecurity and responding to cyber incidents. And it’s FREE!
In this episode:
ASPR TRACIE – Readiness and Response Planning – Ep 322
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
ASPR TRACIE – Readiness and Response Planning
[09:42] HHS’ Office of Assistant Secretary for Preparedness and Response (ASPR) has sponsored the Technical Resources Assistance Center and Information Exchange (TRACIE) since 2015. ASPR TRACIE is an online resource designed to help healthcare facilities understand how to reduce the risk associated with cyber events, including how to care for patients and keep the business up and running during such an event. This publication was published in Feb 2021 and is very much worth taking a look at for some great tips and tools to use for every organization.Healthcare System Cybersecurity: Readiness & Response Considerations
We like how this guide is laid out. There are sections on preparedness and mitigation, a section on response and a section on recovery. Does this sound familiar? Maybe list the NIST cybersecurity framework reference we talk often about? As a matter of fact the document does follow and recommend that organizations utilize NIST. It also references HICP 405D practices. We’ve said many, many times that you need to have a plan. This guide is a very comprehensive guide to help you create an effective plan to respond to cybersecurity events.
IT Incident Response Planning
[16:37] The guide begins with IT Incident Response Planning where it recommends incorporating basic IT preparedness principles into planning process, including:- Understand historical healthcare-related attacks and the subsequent lessons learned.
- Have an incident response plan and practice and update it regularly.
- Implement cybersecurity digital infrastructure checklists into operational protocols.
- Ensure enterprise and individual facilities, emergency managers, and IT teams plan collaboratively.
- Implement cyber-hygiene programs and employee education drills to prevent successful attacks.
- Identify clinical and non-clinical operational vulnerabilities within facilities.
- Identify and understand how to engage with critical external partners such as Healthcare Coalition (HCC) stakeholders
Cybersecurity Readiness
So, maybe what they are saying here is that you can’t do the easy risk analysis, IR and BC/DR as a check the box item? Maybe you need to look at the issue in a much broader context than just HIPAA compliance?
We are actively trying to figure out how to successfully get the resources they reference here.
Routine Mitigation
This sounds familiar. It basically means go to the cloud, but don’t assume that is a few clicks and then you are done worrying about security.
Key elements in the communication and collaboration section:
- Identify and set up a knowledge center capability (or other incident management system or response document library) to serve as an information repository. Ensure staff are trained on how to use the system (e.g., accessing specific functions, uploading/downloading documents). Consider conducting a demonstration to review where vital information will be held, what functions are available, and limitations or restrictions.
- Test connectivity to collaboration platforms and document libraries from alternate locations prior to an incident to troubleshoot issues. Proactively resolve connectivity and access issues. Ensure instructions for use and access are available offline and in print.
- Have a contingency plan for loss of email and voice communications systems such as VoIP lines (two alternatives would ensure redundancy).
The guide goes on and on to include cybersecurity exercises (giving you exercise scenarios along with exercise frequency and engagement recommendations), downtime principles (discussing how to define downtime and preparing your workforce for downtimes, and of course recommendations on things to consider during your response to a cyber security event.
Let’s just say so we cannot stress enough the value of everything that’s in this ASPIR TRACIE guide. It even includes forms and checklists and just makes you think about what you have. Take the time to read through this 30 page guide. I assure you that you’ll find very valuable information in it to include in your own response preparedness and response plans.
Stick with us because we’re going to talk about National Cybersecurity Awareness Month and talk more about freely available things to build your cyber security, privacy and security culture.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM,
Special thanks to our sponsors Security First IT and Kardon.
