37% of Healthcare Organizations Do Not Have a Security Incident Response Plan
A recent survey of IT professionals has revealed that 37% of healthcare organizations* do not have a security incident response plan in place, despite it being a requirement of HIPAA. The risk of a security incident has never been greater as cyberattacks on healthcare organizations and their business associates are occurring at record levels. The survey also revealed that 1 in 3 healthcare organizations have experienced a data breach in the past 3 years, and 42% of respondents said they had experienced a ransomware attack. Almost half (48%) of attacks impacted customer data and 1 in 4 attacks impacted patient care.
The main causes of attacks were malicious hacking (41%), malware (39%), social engineering and phishing (37%), software vulnerabilities (36%), employee errors (30%) and compromised credentials (24%). Incident response plans should cover all these types of attacks, and staff training is vital. Staff members should be provided with IT security and data privacy training to reduce the risk of a data breach, yet the survey revealed that 74% of healthcare organizations spent less than 5 hours on training and 35% spent less than 2 hours.
HIPAA and Incident Response Plans
HIPAA requires covered entities and their business associates to develop and implement security incident procedures and a contingency plan that can be immediately activated in the event of a security incident (45 CFR § 164.308 (6)(i),(ii) and 7)(i),(ii))
The purpose of the incident response plan is to ensure that the HIPAA-regulated entity can respond rapidly and efficiently to a security incident, which will limit the harm caused and allow recovery in the shortest possible time frame. The contingency plan is a set of policies and procedures for responding to an emergency or other occurrence that damages systems that contain electronic protected health information.
The incident response plan should include a formal definition of what constitutes a security incident along with severity ratings and prioritization protocols. The plan should define roles and responsibilities and identify the individuals/teams responsible for each task in the plan, along with contact and on-call information for those individuals, as well as for any third parties that will be required to assist with the incident response. There should also be a documented communications plan and protocols, playbooks specific to the organization and for different types of incidents (phishing attacks, ransomware, loss/theft, unauthorized access, incident incidents, etc.), and the reporting requirements under HIPAA and other federal and state laws.
Incident response plans need to be developed in advance and tested through tabletop exercises involving members of each department involved in the breach response. Problems can be identified and corrected to ensure an efficient response to a real security incident. The incident response plan should be revised and re-tested after each security incident to address any problems experienced during the breach response. In October 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) published a useful PDF that summarizes incident response requirements and makes recommendations to help healthcare organizations and their business associates develop effective incident response plans.
If a security incident response plan has not been developed and regularly tested, valuable time will be lost and it is unlikely that the response will be efficient, resulting in a longer recovery, greater financial losses, and delayed notifications to the affected individuals, placing them at a greater risk of identity theft and fraud.
The failure to develop, implement, and test a security incident response plan can also result in regulatory fines. The Office for Civil Rights investigates all breaches of 500 or more records and has imposed financial penalties for security incident response failures. In 2022, Oklahoma State University – Center for Health Sciences agreed to settle with OCR and paid a $875,000 penalty to resolve alleged HIPAA violations, including security incident response failures. In 2022, OCR settled alleged HIPAA violations with CHSPSC LLC for $2,300,000, including a lack of security incident response procedures, and in 2019, Touchstone Medical Imaging paid $3,000,000 to resolve alleged HIPAA violations, including the failure to respond to a security incident.
*The 2024 Healthcare Data Security Survey was conducted on 296 individuals at U.S. healthcare organizations with IT management, data security, data management, or security training or audit responsibilities by Software Advice.
