The number of cyberattacks is on the rise, and healthcare providers are a prime target. These attacks often come through third-party vendors, increasing the risk for healthcare organizations. The healthcare industry providers often rely on a complex network of vendors and subcontractors.
This interconnectedness means a cyberattack on a vendor can easily migrate through the entire healthcare system, as the Change Healthcare incident demonstrates.
Here are key steps healthcare organizations should take when a vendor experiences a cyberattack:
Assemble Your Response Team
- Gather your response team, including a lawyer specializing in data breaches.
- Legal guidance is crucial from the start, and attorney-client privilege can protect early discussions. Also consider contracting a data forensics expert and a communications team.
Investigate and Assess the Situation
- In the initial chaos, it’s tempting to react hastily. Don’t rush into action. It’s crucial to gather as much information as possible about the attack before reacting.
Focus on gathering facts
- What type of attack happened?
- Which vendor was affected?
- What data might be compromised?
- What are the potential risks?
- While complete information may be elusive, gathering the available facts will help you navigate the uncertainty.
Implement Existing Plans
- Activate your organization’s incident response and disaster recovery plans.
- Focus on protecting critical systems, functionalities, and data needed for core operations.
Analyze and Report
- Identify legal reporting requirements triggered by the incident. HIPAA and other regulatory regulations.
- Depending on the severity, you may need to notify patients, regulators, or other stakeholders.
- Consider seeking legal or operational support help to navigate these complexities for managing communications and notifications.
Review Contracts
- Analyze relevant contracts with affected vendors.
- Look for details on notification requirements, termination clauses, and indemnification provisions.
- Be prepared to potentially enter contract disputes from the cyber-attack.
Learn from the Experience
- Cyber threats are constantly evolving. Use this incident as a learning opportunity to evaluate your internal security posture.
- Could the attack have impacted your organization in unforeseen ways?
- Should you conduct additional internal reviews or revise your existing risk assessments and response plans? Absolutely!
The Bottom Line
Cyberattacks are a constant threat, and healthcare organizations must be prepared. Develop and regularly update your incident response and disaster recovery plans. Proactive preparation and a measured response are critical for navigating the challenges of a cyberattack. By having a plan in place and learning from incidents, healthcare providers can minimize the impact of a vendor cyberattack and protect patient data.
Modevity Vendor Risk Management as a Service supports organizations by mitigating varied company and regulatory risks and utilizes powerful database technology, AI, and vendor assessment automation with continuous monitoring – to provide real-time reports for the identification of risks when conducting business with vendors across varied departments or operations.
Contact Information
Thomas J. Canova
Co-Founder, Chief Marketing Officer
Modevity, LLC
610-251-0700