Healthcare Organizations and Vendor Cyberattacks: A Guide to Preparation and Response

The number of cyberattacks is on the rise, and healthcare providers are a prime target. These attacks often come through third-party vendors, increasing the risk for healthcare organizations. The healthcare industry providers often rely on a complex network of vendors and subcontractors.

This interconnectedness means a cyberattack on a vendor can easily migrate through the entire healthcare system, as the Change Healthcare incident demonstrates.

Here are key steps healthcare organizations should take when a vendor experiences a cyberattack:

Assemble Your Response Team

  • Gather your response team, including a lawyer specializing in data breaches.
  • Legal guidance is crucial from the start, and attorney-client privilege can protect early discussions. Also consider contracting a data forensics expert and a communications team.

Investigate and Assess the Situation

  • In the initial chaos, it’s tempting to react hastily. Don’t rush into action. It’s crucial to gather as much information as possible about the attack before reacting.

Focus on gathering facts

  • What type of attack happened?
  • Which vendor was affected?
  • What data might be compromised?
  • What are the potential risks?
  • While complete information may be elusive, gathering the available facts will help you navigate the uncertainty.

Implement Existing Plans

  • Activate your organization’s incident response and disaster recovery plans.
  • Focus on protecting critical systems, functionalities, and data needed for core operations.

Analyze and Report

  • Identify legal reporting requirements triggered by the incident. HIPAA and other regulatory regulations.
  • Depending on the severity, you may need to notify patients, regulators, or other stakeholders.
  • Consider seeking legal or operational support help to navigate these complexities for managing communications and notifications.

Review Contracts

  • Analyze relevant contracts with affected vendors.
  • Look for details on notification requirements, termination clauses, and indemnification provisions.
  • Be prepared to potentially enter contract disputes from the cyber-attack.

Learn from the Experience

  • Cyber threats are constantly evolving. Use this incident as a learning opportunity to evaluate your internal security posture.
  • Could the attack have impacted your organization in unforeseen ways?
  • Should you conduct additional internal reviews or revise your existing risk assessments and response plans? Absolutely!

The Bottom Line

Cyberattacks are a constant threat, and healthcare organizations must be prepared. Develop and regularly update your incident response and disaster recovery plans. Proactive preparation and a measured response are critical for navigating the challenges of a cyberattack. By having a plan in place and learning from incidents, healthcare providers can minimize the impact of a vendor cyberattack and protect patient data.

Modevity Vendor Risk Management as a Service supports organizations by mitigating varied company and regulatory risks and utilizes powerful database technology, AI, and vendor assessment automation with continuous monitoring – to provide real-time reports for the identification of risks when conducting business with vendors across varied departments or operations.

Contact Information

Thomas J. Canova

Co-Founder, Chief Marketing Officer

Modevity, LLC

610-251-0700

tomc@modevity.com

www.modevity.com

 

Leave a Comment

Trusted partner since 2004.

Other Pages

Quick Links

Get the latest news & updates

Copyright © 2022 All rights reserved.