As the U.S. Centers for Medicare and Medicaid (CMS) tightens its focus on cybersecurity efforts and urges providers to follow suit, it’s a good time to take a critical look at your organization’s Cybersecurity Breach Plan.
On July 12, CMS ended a temporary relief program to help providers impacted by one of the most widespread cyber attacks the U.S. healthcare industry has experienced. The Change Healthcare/Optum Payment Disruption (CHOPD) Program paid billions in advance and accelerated payments to providers after a ransomware attack shut down Change Healthcare’s operations earlier this year.
In making the announcement to end CHOPD payments, CMS directed providers to enhance their cybersecurity efforts with stronger cybersecurity measures.
Industry leaders are in agreement that CMS, the Office of Inspector General (OIG) and other federal watchdogs will continue to focus attention on cybersecurity, increasing the need for compliance in security matters. Although the Change Healthcare incident was a serious wake-up call, many providers haven’t done enough to address the serious and growing risk of cyberattacks.
Considerations for an effective Cybersecurity Breach Plan
Not sure whether your organization’s Cybersecurity Breach Plan is solid and up to date?
Here are a few pointers to consider.
A solid Cybersecurity Breach Plan addresses these questions.
Your organization’s Cybersecurity Breach Plan should offer detailed directions for ensuring safe and effective organizational responses to and recovery from significant cybersecurity incidents.
At a minimum, it will set out standardized procedures to adequately address questions such as how your organization will:
- Contain any successful cybersecurity attacks
- Eliminate the threat from the environment
- Recover systems or data that may have been impacted by the attack
There’s no one-size-fits-all approach for a Cybersecurity Breach Plan.
There are many types of cybersecurity attacks. An effective Cybersecurity Breach Plan will address all known types of attacks with appropriate procedures. Procedures to respond to a phishing attack, for example, will differ from the response to a system intrusion or a ransomware attack.
An effective Cybersecurity Breach Plan will detail the procedures required for each type of attack, with step-by-step instructions.
The Plan should also address your organization’s unique concerns and issues and detail procedures that will impact your unique operations, outlining important alternate plans.
As an example, if your organization is a Certified Community Behavioral Health Center operating with Designated Collaborating Organization (DCO) agreements with other healthcare providers in your community, your Plan should address the steps to be taken to notify and contain the spread of an attack to each of your specific DCO providers. Detail the person or persons to be notified of the breach and the specific steps to be followed.
On the flip side, your Plan should also reflect how your organization will respond in the event one of your DCO providers is attacked. What are the specific steps to be followed? If the DCO’s operations are impacted by an attack, how will your organization continue to provide emergency services in the interim? Is there a backup in place?
What about claims processing? Does your organization have a backup plan in place for handling a shutdown in case of another operational shutdown similar to the one that occurred when Change Healthcare was attacked?
A risk analysis can identify vulnerabilities.
The foundation for a solid Cybersecurity Breach Plan is an independently conducted risk analysis to determine potential threats and vulnerabilities in an organization’s systems, the likelihood of an attack, and where better controls may be needed.
In addition to identifying cybersecurity risks within the organization, a risk analysis can assess third parties and vendors to determine whether adequate cybersecurity protocols are in place.
Don’t overlook cash flow consideration.
One of the vulnerabilities identified in the Change Healthcare attack was the impact of cash flow on smaller organizations. Significant operational shutdowns and delays due to cyberattacks can wreak havoc on providers without the resources to keep the lights on and meet payroll when disruptions occur. The viability of smaller providers could be threatened by outages of 30-60 days or more.
An organization’s Cybersecurity Breach Plan should address how these types of shutdowns will be handled, and cash flow impediments will be handled.
Learn more about developing an effective Cybersecurity Breach Plan here.
Detailed guidelines, templates, and resources for developing an effective Cybersecurity Breach Plan are available on the Health and Public Health (HPH) Cyber Performance Goals website at https://hphcyber.hhs.gov/performance-goals.html.
SimiTree can help.
The experienced compliance experts at SimiTree help clients mitigate security risks, develop effective and compliant policies, and create solid, dynamic plans mapping out the specific procedures to be followed in case of attack.
Our detailed risk assessments pinpoint specific vulnerabilities in your organization, and our certified experts can help you bridge those weaknesses with solid, step-by-step action plans to shore up security. We’ll help you put together a solid Cybersecurity Breach Plan and address any other compliance needs. Our consultants see the interconnected nature of privacy, compliance, regulatory, and quality goals, and we can make a difference.
Reach out to us today, and let’s work together to shore up compliance and improve performance at your organization.
Your questions matter! Tell us what to write about.
Rapidly changing regulations are impacting all behavioral health providers and creating many areas of uncertainty for providers. We want to address the questions that matter most to you in this weekly space.
Ask your compliance questions – or request the specific topic you’d like more information about – by writing to me at jgriffin@simitreehc.com to let me know what you’d like to read about in a future Compliance Report.
Make sure you’re subscribed.
It's more important than ever to stay abreast of compliance issues in 2024 -- and I don’t want you to miss any of my Weekly Compliance Reports. Be sure to add your name to the subscription list here.
Why not invite the compliance officers you know to sign up as well?
_________________________________
J’non Griffin serves as Senior Vice President/Principal for the Compliance as well as Coding divisions at SimiTree. Her healthcare career spans three decades of clinical and leadership experience, and she has a track record of helping many provider types implement effective compliance programs. She is a certified ACHC and CHAP consultant and holds additional certifications in diagnosis coding and other healthcare specialties. As an AHIMA ambassador, she was instrumental in the implementation of ICD-10.