HSCC Publishes Coordinated Healthcare Incident Response Plan Template

Posted by Steve Alder

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has published a Coordinated Healthcare Incident Response Plan (CHIRP) that can be used as a template by healthcare organizations to develop a coordinated cybersecurity incident response plan.

Given the frequency of cyberattacks on the healthcare sector and the harm that these incidents can cause, it is vital for healthcare organizations to develop, implement, maintain, and test an incident response plan. In the event of a cyberattack, the incident response plan can be initiated immediately to limit the harm caused and help ensure a rapid recovery.

There are several resources available on the technical response process to a cybersecurity incident, and while these resources provide guidance on the technical aspects of the response, such as detection, containment, response, and recovery, they do not deal with the impact of an attack on patient care and patient safety. Healthcare organizations have emergency plans to ensure business continuity and patient care in the event of IT outages and natural disasters; however, these plans may not be totally effective when responding to a cyberattack.

The new HSCC resource is intended to help address the gaps many healthcare organizations have in their incident response plans. The CHIRP is a tool that can be used as a starting point when developing an effective incident response plan, which can be tailored to meet the needs of each organization. “Healthcare Delivery Organizations have many of the parts and pieces needed to respond to a cybersecurity incident, but guidance is missing on how to tie all of these separate components together. This template seeks to serve as the cog that can be installed in the machine to allow all of the components to run together as a Coordinated Healthcare Incident Response Plan.”

The template is a guiding document that includes sample content to help incident response plan managers understand the purpose of each section when completing their own planning work, which can be replaced as necessary based on the needs of each organization and should be used in conjunction with the HSCC’s Health Industry Cybersecurity Operational Continuity – Cyber Incident (HIC-OCCI) publication.

The template guides plan managers through incident identification, response, IT system recovery, operations and emergency management, communications, and legal and risk management, and has been developed to be easily customized to suit organizations of all types and sizes. The guidance helps healthcare organizations tie together existing business continuity, organizational, and disaster recovery plans, and downtime procedures to ensure an efficient, coordinated response to any cybersecurity incident.

The post HSCC Publishes Coordinated Healthcare Incident Response Plan Template appeared first on HIPAA Journal.

11 Million+ HCA Healthcare Patients Affected by Recent Cyberattack

Posted by Steve Alder

Nashville, TN-based HCA Healthcare, the largest health system in the United States with more than 180 hospitals and 2,300 healthcare sites, has announced that an unauthorized individual had obtained the protected health information of patients. While the total number of affected individuals has not yet been confirmed, the breach is understood to have affected 11 million+ patients, which would make this the joint third-largest healthcare data breach to be reported by a HIPAA-regulated entity.

Largest Healthcare Data Breaches

Name of Covered Entity Year Covered Entity Type Individuals Affected Type of Breach
Anthem Inc. 2015 Health Plan 78,800,000 Hacking/IT Incident
American Medical Collection Agency 2019 Business Associate 26,059,725 Hacking/IT Incident
HCA Healthcare 2023 Healthcare Provider 11,000,000+ Hacking/IT Incident
Premera Blue Cross 2015 Health Plan 11,000,000 Hacking/IT Incident
Excellus Health Plan, Inc. 2015 Health Plan 9,358,891 Hacking/IT Incident

On July 10, 2023, HCA Healthcare announced that hackers had gained access to an external storage location that was used to automatically format emails such as patient appointment reminders and emails alerting patients about HCA Healthcare programs and services. While the investigation into the data breach has not yet concluded, the compromised data lists contained 27 million rows of data, which included the protected health information of approximately 11 million patients who received care at HCA hospitals and doctors’ offices in 20 U.S. states.

The information in the data lists included name, address (city, state, zip code), email address, phone number, date of birth, gender, date(s) of service, location of service(s), and next appointment date. No clinical information, financial information, or Social Security numbers are believed to have been compromised. The data related to individuals who received healthcare services in Alaska, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Missouri, Mississippi, Nevada, New Hampshire, North Carolina, South Carolina, Tennessee, Texas, Utah, or Virginia. The full list of affected facilities has been published by HCA Healthcare here.

HCA Healthcare said the storage location was immediately disabled when the breach was discovered and an investigation was launched into the attack, with assistance provided by third-party cybersecurity and digital forensics experts. HCA Healthcare said the incident had no impact on patient care and that it is not expected to have any impact on its business, operations, or financial results. HCA Healthcare will issue notification letters when the affected individuals have been identified and contact information has been confirmed. Complimentary credit monitoring services are being offered to the affected individuals.

The individual behind the attack listed the data for sale on a dark net marketplace and gave HCA Healthcare until July 10, 2023, to meet its demands. HCA Healthcare’s announcement coincided with that data, but it is unclear whether the hacker’s demands were met, or what those demands were. HCA Healthcare confirmed in its initial breach notice that, “a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum,” and said the information was posted online on July 5, 2023. HCA Healthcare said it is unaware of any misuse of patient data at this time.

Since highly sensitive information does not appear to have been compromised, individuals affected may not face an immediate risk of identity theft or fraud; however, they could be subject to phishing attacks and email/telephone/SMS scams so should exercise caution, especially with email attachments, hyperlinks in emails and SMS messages, and phone calls where sensitive information is requested.

HCA Healthcare said it has “several robust security strategies, systems, and protocols in place to help protect data,” and has an ongoing education program for its colleagues, physicians, vendors, and others to maintain awareness of safe practices to help ensure compliance and the security of patient data.

The post 11 Million+ HCA Healthcare Patients Affected by Recent Cyberattack appeared first on HIPAA Journal.