Disasters come in many forms, from cybersecurity emergencies and public relations to fires and tropical storms. Not planning ahead can put your practice in physical and legal jeopardy and expose your patients to sensitive information breaches and identity theft. This presentation will show you: 1. What types of disasters your practice or facility is vulnerable to 2. How to identify all the ways disasters can impact your practice 3. Best practices for developing processes and checklists to avoid disasters 4. Effective responses to quickly recover in the event of a disaster CONTACT US: Danna-Gracey Phone: 800.966.2120 Fax: 561.276.6545 Email:info@dannagracey.com

1. Disaster Recovery for
Healthcare Practices
and Facilities
Matt Gracey & Steve Whalen
800.966.2120
info@dannagracey.com

2. Disasters come in many forms, from cybersecurity emergencies and public relations to fires,
tropical storms and hurricanes. Not planning ahead can put your practice in physical and
legal jeopardy and expose your patients to sensitive information breaches and identity
theft.
Today we will discuss:
• What types of disasters your practice or facility are vulnerable to
• How to identify all the ways disasters can impact your practice
• Best practices for developing processes and checklists to avoid disasters
• Effective responses to quickly recover in the event of a disaster
Disasters and Your Practice

3. What are some the consequences
of lost data due to a disaster?
• Risk of losing data required for patient care that can have life-or-
death consequences
• Losing credibility and reputation. Your practice could be at
great risk of losing hospital/physician clients
• Financial losses from lost business and costly processes to
recover data
• Litigation costs can be significant if patients sue the healthcare
provider or a hospital sues its service providers
• HIPAA penalties for non-compliance

4. HIPAA Disaster Recovery Plan
(7) (i) Standard: Contingency plan. Establish (and implement as needed)
policies and procedures for responding to an emergency or other occurrence (for
example, fire, vandalism, system failure, and natural disaster) that damages
systems that contain electronic protected health information.
(ii) Implementation specifications:
(A) Data backup plan (Required). Establish and implement
procedures to create and maintain retrievable exact copies of electronic
protected health information.
(B) Disaster recovery plan (Required). Establish (and implement as
needed) procedures to restore any loss of data.
(C) Emergency mode operation plan (Required). Establish (and
implement as needed) procedures to enable continuation of critical
business processes for protection of the security of electronic protected
health information while operating in emergency mode.
(D) Testing and revision procedures (Addressable). Implement
procedures for periodic testing and revision of contingency plans.
(E) Applications and data criticality analysis (Addressable).
Assess the relative criticality of specific applications and data in support
of other contingency plan components.

5. •Fire
•Storms
•Floods
•Tropical Storms and
Hurricanes
Natural
Disasters

6. Prevention measures
• Follow manufacturers’ recommendations for maximum volt/wattage
load for surge protectors, power strips and adapters
• Replace frayed power cords; never run them under rugs or carpeting
• Unplug appliances and other equipment not in use at the end of the
day and over the weekend
• Store hazardous materials according to manufacturers’ instructions
and OSHA regulations
• Don’t prop fire doors open or block exits with furniture or boxes
• Don’t allow paper and other trash to accumulate outside of garbage
or recycling receptacles
• Never store paper or trash near hot equipment, electrical outlets or
designated smoking areas
• Don’t permit employees to burn candles, scented oils, etc.
• Test alarms and check extinguisher regularly; replace/recharge
immediately when indicated
• Use only licensed electricians if you are having any work done
Fire proof cabinets for medical records
All electronic data backed-up securely off site
Fire Prevention and Safeguarding

7. Hurricane Season – What to do and When to do it
Before hurricane season (started June 1st
)
• Beat the rush - stock up on non-perishable supplies
• Review procedural plans and checklists
• Review your post storm plan of action, modify as needed
When a storm hit seems likely
• Keep a watchful eye
• Cash, fuel, personal plans made
• Set a contingency plan and a time line for action
• Begin to go through procedural checklist, get things in order
When a storm watch is issued – Conditions are a threat within 48 hours
• Decide on your course of action.
• Notify patients on status of upcoming appointments
• All employees should be on a calling tree or notification system
• Begin preparations for the approaching storm
• Gather all important documents, licenses, insurance info, etc.
When a storm warning is issued – Conditions expected within 36 hours
• Contingency plan in action
• Have your post-storm plan of action, share with staff

8. Computers, Telephones, Fax machines, printers, copiers
and other Electronic Equipment
•Disconnect computer, monitor, keyboard, mouse, from each
other and unplug the network cable and wall power outlets.
•Unplug the network cable and wall power outlets on all devises.
•If not already mounted above the floor, move any PC equipment
off the floor at least 10 feet from a window.
•Wrap each device in plastic and mark it with an identifiable
name.
Miscellaneous desktop items
•Remove all papers, books, and loose items from your desk.
•Place these materials in a box or Rubbermaid type container
marked with your name and store it off the floor in a safe place.
Storm Prep Example:
Preparing Your
Workspace

9. Post-Disaster Checklist
 Contact employees regarding short-term and future actions
 Secure all business and medical records
 In the event of loss of records requiring compliance with HIPAA
breach notification — notify medmal carrier, patient, ad in paper
and within 1 year notify government
 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotifica
 Damage assessment
 Not significant enough to cause a major business disruption
 Significant – relocation options
 Reroute mail and phone calls
 Notify your insurance carrier with an initial assessment.
 Keep an accounting of all damage-related costs. Such costs
might include:
 Mileage driven by employees
 Long-distance phone calls
 Equipment
 Mailing
 Leasing equipment

10. Post-Disaster Checklist continued
 Contact accountant or billing service and bank to
reconstruct financial records
 Conduct salvage operations. Keep damaged items until
seen by an insurance adjuster. Take pictures and record
everything
 Once the extent of the damage is known call a meeting of
all employees. Topics to be discussed should include:
 Damage assessment
 Status of employees
 Medical records access
 Financial resources
 Information processing
 Office space needs — temporary/permanent
 Immediate equipment needs
 Contacting patients and suppliers
 The next step - obtain temporary/permanent office space to
get up and running
 Address equipment needs for temporary office space
 Contact patients with operational status

11. Data
Disasters
• Data Breach
• Cyber Attacks
• PR/Reputation

12. • Data stolen from a bank quickly becomes useless once the breach
is discovered.
• Healthcare industry data can live a lifetime, including:
 Social Security numbers
 Patient health histories
 Up-to-date patient information
• Used for medical identity theft
• Fraudulent claims for valuable prescription drugs and medical
equipment
• Stolen patient data can fetch up to 50 times more than a social
security or credit card number
• The healthcare sector is uniquely vulnerable:
 Government regulations forced healthcare operations to adopt
electronic health records and other advances under the Patient
Protection and Affordable Care Act even if they weren't ready
to adequately invest in security
 Medical data are now being shared with many different types of
entities, extending access to medical records
Why Medical Records?

13. Theft
Trusted Users
• Careless Operators
• Hijacked Credentials
Mobile Devices
• Smart phones
• Tablets
Outsourced Providers
New Web 2.0 Technologies
• Blogs
• Social Media
• Networking Sites
Data Breach

14. Email Attachments
Portable Media
Visiting Malicious Websites
Downloading Files
Social Networking Sites
Social Engineering Attacks
Not Following Security Guidelines
and Policies
Cyberattacks

15. • October 2015 – A Florida-based cancer treatment
provider reported the theft of 2,213,597 patients’
medical records
• 13 Separate federal class-action lawsuits have
been filed
• November 2015 – A laptop containing 599 patient
records, which contained their PHI was stolen from an
unlocked hospital room at Lahey Hospital in
Massachusetts, The Department of Health and Human
Services fined them $850,000 after an investigation
uncovered a series of poor electronic PHI procedures.
• February 2016 – A Florida-based radiology practice
reported a breach of 483,063 patients’ medical records.
• April 2016 - A stolen laptop containing unsecured
medical records was reported by an Indiana-based
practice resulting in the loss of 205,748 patient records.
• Major Cyberattacks on healthcare grew 63% in 2016
It’s Only Going
to Get Worse

16. • Customer Notification: $1 - $2 (per person)
• Consulting Help for Forensic Research and Data
Recovery: $250 - $300 (per hour)
• Legal Fees: $400 - $600 (per hour)
• Credit Monitoring Subscriptions: $10 – $20 (per
person)
• Credit Card Reissuance Fee: $20 - $30 (per card)
• Information Hotlines for Customer Support: $5 +
(per call)
• In 2016, Healthcare Data Breach Was Calculated to
be $402 Per Record*
The Cost of a Breach
*Ponemon Institute's 2016 annual study

17. • Malicious software that encrypts data so
the user is blocked, and then requires a
ransom payment to unlock the data
• Payment is typically made via virtual
currencies such as bitcoins
• Simple ransomware may unlock the data
upon payment of the ransom demand,
but more vicious variants may never
unlock the data
• Organizations typically incur business
interruption expenses that are
significantly greater than the ransom
payment itself
• Trigger for HIPAA violations
Ransomware

18. • February 2016 – Hollywood Presbyterian Medical Center paid $17,000 in bitcoins
to hackers to regain network access after the criminals encrypted the hospital’s files
and demanded payment to allow the hospital to return to normalcy. The hospital’s
operations were disrupted for roughly 10 days.
• March 2016 – MedStar Health – A ransomware virus spread on MedStar Health’s
network, causing the 10 hospitals in MedStar and its 250 outpatient facilities to work
with paper records. They were forced to shut email and systems offline to prevent
the virus from spreading.
• May 2017 – “WannaCry” – Ransomware attack spread across hospitals, schools and
businesses in 150 countries. The “WannaCry” virus was the most dispersed attack of
its kind. Most notably, shutting down hospitals and resorting back to paper files,
slowing the flow of admitting patients by several hours and can present a potential
contingent bodily injury exposure.
Business Interruption Strategy
“Even the lowest-level staff can’t
communicate with anyone. You can’t
schedule patients, you can’t access records,
you can’t do anything,”

19. • Offsite routine secure backup – “The Cloud”
• 24/7/365 Security Monitoring
• Maintaining updated software and operating Systems
• Strict password policy
• Computer Acceptable Use policy
• Training employees to be aware of fake emails
• Endpoint Security & Encryption
• Network Security Policies
• Comprehensive Cyber Risk Insurance
What can you do
for protection?

20. What Does Cyber Insurance Cover?
• Claims Made by clients or employees
• Regulatory procedures
• Fines and penalties relating to privacy laws
• Cost to notify affected Individuals
• Cost to restore data/computer programs
Damaged by hackers/virus
• Business interruption and extra expense Due to a
breach
• Some policies include loss of money due to
hacking

21. • Your reputation is everything
PR and
Reputaion

22. Munoz was hoping his tweet would smooth
things over.
It didn’t go quite as well as he had hoped:
Oscar Munoz

24.  Weigh your response
 Don’t overreact
 Ask for equal time
 Use facts and figures and cite third party sources
 Let your advocates defend you
 Generate positive content where possible
 Ask yourself, is this an opportunity?
Managing Negative
Publicity

25. Be Prepared
You must ensure that critical systems are
identified and that there are plans in place
to recover if hit with a natural disaster or
a cyber attack.
Regulatory, technological and
environmental factors are raising the
importance of a comprehensive disaster
recovery strategy.
Resources at dannagracey.com
The consequences and risks are too great
to ignore.
Summary

26. Matt Gracey & Steve Whalen
800.966.2120 info@dannagracey.com
Disaster Recovery for Healthcare
Practices and Facilities