Establishing and maintaining effective systems to protect sensitive personal data and confidential business information from outside interference while also assuring that privacy interests are protected is among an organization’s highest priorities. Our security and privacy team at Epstein Becker & Green has written extensively about the guidance and best practices issued by federal and state regulatory and enforcement agencies. Execution, monitoring and continually updating these preventive practices define an organization’s first line of defense. But what happens in the event that an organization actually suffers a breach? Is there guidance that might be available, particularly to healthcare organizations, to deal with continuity and disaster planning (BC/DR) directed towards assuring resilience and recovery in the event of a potentially-disastrous cyberattack?

Recently, the Healthcare and Public Health Sector Coordinating Council (HPHSCC) released an Operational Continuity-Cyber Incident (OCCI) checklist to help healthcare organizations preserve operational continuity while recovering from a cyberattack. This guidance comes at a critical time of increasing cybersecurity risk to U.S.-based healthcare institutions. Indeed, a dramatic uptick in zero-day attacks, and ransomware exploits in particular, coupled with increased costs of recovering from cyberattacks, underscore that resiliency, continuity and disaster planning are now more important than ever. Nevertheless, while it is clear that in the healthcare arena “an ounce of prevention” may be worth “a pound of cure”, many organizations still struggle with how to implement or update their contingency plans.

Growing Cyber Risk in the Wake of the Russia-Ukraine Conflict

Over the past few years, the Cybersecurity and Infrastructure Security Agency (CISA) has tracked the activities of malicious hackers, and has found that healthcare and public health increasingly have become prime targets of cyberattacks involving malware (most-often, ransomware), data theft, and the disruption of healthcare services. While we have described the this enhanced risk previously, the ongoing Russian invasion of the Ukraine, and its regional and world economic effect, has, according to CISA just last month, exposed organizations to even greater increases in attacks from state-controlled cyber actors. The American Hospital Association echoed the need for the healthcare organizations to take extra precautions in light of this magnified threat

Detrimental Impacts on Healthcare Organizations

It is a truism that cyberattacks can cause significant operational disruption, financial stress, and even patient harm. Recent experience highlights the fact that the risk of these damaging outcomes has been enhanced by the healthcare sector’s increasing reliance on digital infrastructure and solutions. Many healthcare organizations have implemented specialized and interconnected information technology systems that include electronic health records, e-prescribing solutions, practice management tools, and clinical decision support algorithms — any of which might be vulnerable to a cybersecurity attack. Technology system vulnerability has been magnified during the COVID-19 pandemic which has greatly stimulated healthcare organizations to embrace the Internet of Things and deploy remote monitoring solutions that are also vulnerable to attack.[1]

Healthcare Security Regulations Provide Limited Guidance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides a helpful launching point for healthcare organizations to build out their contingency resilience and recovery policies and procedures. Indeed, such planning is mandated by the HIPAA Security Rule, which is aimed at ensuring that healthcare organizations take steps to safeguard the confidentiality, integrity, and availability of the organization’s Protected Health Information as they expeditiously recover from an attack. Organizations seeking to develop these plans also would benefit from implementing the “Recognized Security Practices” referenced in the Health Information Technology for Economic and Clinical Health of 2021 (HITECH) act. As we previously have described, the HITECH act directs the Department of Health and Human Services to “consider certain recognized security practices of covered entities and business associates when making certain determinations” regarding fines, audit results, or other remedies for resolving potential violations of HIPAA. The adoption of these best practices provides an actionable incentive to healthcare organizations.

The OCCI checklist is designed “to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyberattack”. The checklist has value to organizations of all sizes and complexity—whether a small physician group, a regional urgent clinic, or a national hospital system. To serve these diverse entities, the checklist is separated into ten role-based modules that align with the Incident Command System, while also allowing an organization to refine or modify a module to align with the organization’s size, resources, and capabilities. These role-based modules describe the requisite leadership functions required during the initial twelve hours following a cybersecurity incident:

  • Incident Commander, who provides overall strategic direction on all site-specific response actions and activities.
  • Medical-Technical Specialist (Subject Matter Expert/Advisor), who advises the Incident Commander or Section Chief on issues related to response; and provides understanding and communicates specific impact and recommendations given their area of expertise.
  • Public Information Officer, who serves as the conduit for information to internal and external stakeholders, including site personnel, visitors and families, and the news media, as approved by Cybersecurity, the IS/IT Section Chief and the Incident Commander.
  • Liaison, who coordinates external partner communication with PIO, Med-Tech, IS/IT Section Chief
  • Safety Officer, who identifies, monitors, and mitigates safety risks to patients, staff, and visitors during a prolonged large-scale outage.
  • Operations Section Chief, who develops and recommends strategies and tactics to continue clinical and non-clinical operations for the duration of the incident response and for recovery.
  • Planning Section Chief, who oversees all incident related documentation regarding incident operations and resource management; initiates long range planning; conducts planning meetings; and prepares the Incident Action Plan for each operational period.
  • Finance Section Chief, who monitors the utilization of financial assets and the accounting for financial expenditures; and supervises the documentation of expenditures and cost reimbursement activities.
  • Logistics Section Chief, who organizes and directs the service and support activities needed to ensure material needs for the site’s response to an incident. are available when needed
  • Intelligence (IS/IT) Section Chief, who provides technical response, continuity, and recovery recommendations; partners with cybersecurity to inform incident response decisions and activities; and coordinates intelligence and investigation efforts.

Attorneys with Epstein Becker & Green’s Privacy, Cybersecurity & Data Asset Management Group are well-positioned to assist organizations of all sizes through the entire lifecycle of BC/DR policy development, implementation, and response. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker & Green attorney who regularly handles your legal matters, or one of the authors of this blog post.


[1] See Journal of Oral Biology and Craniofacial Research (January 30, 2021) - Internet of Things (IoT) enabled healthcare helps to take the challenges of COVID-19 Pandemic

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.