The recent Anthem breach may potentially affect 80 million people.  Employers who contracted with Anthem as an insurer (or as a third party administrator for their self-insured plans) must now realize that defending their digital perimeter is not enough. Health insurance companies (and their brokers, TPAs, and other insurance support organizations) and large health/hospital systems, who are subject to myriad federal (HIPAA) and state privacy and security laws, are all vulnerable and should prepare now. You should assume that successful cyberattacks will occur, and you should create an effective cyber incident response plan and test it to be sure you are prepared for a breach.

What is a CyberIncident Response Plan?

A cyberincident response plan is just what it sounds like: a contingency plan to guide you through a data breach. Sample actions of a plan include:

  • prevention/protection
  • detection
  • analysis
  • response
  • resolution

Why Do You Need a CyberIncident Response Plan?

You need a cyberincident response plan for one simple reason: companies that have such response plans handle data breaches better.

A cyberincident response plan limits damage by reducing recovery time and costs and maintains the confidence of vendors and customers. A well-tested cyberincident response plan gives you control by delineating clear roles and responsibilities across the organization so you know who will have decision making responsibility; establishing that internal coordination and reporting are mapped along with preapproved documentation (e.g. scripts to handle customer calls, correct notices, updated contact info; forensic and response firm contracts are in full force and effect; and (if applicable to the organization) a detailed HIPAA “breach” investigation and notification procedure); and by ensuring that minor events do not snowball by routinely monitoring systems and creating a culture of compliance through ongoing efforts around training, documentation, and change management.

What Can We Do to Help You?

We can help you the same way we help our other clients:  by creating and stress testing incident response plans before a data breach occurs, and by ensuring compliance with legal obligations, handling investigations, and defending law suits in the wake of a data breach.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of William C. Wagner William C. Wagner

Bill is widely recognized as an accomplished and successful trial attorney. He has substantial experience with matters involving environmental law, mass torts, class actions, defense of enforcement actions by federal and state agencies, and insurance coverage and cost recovery actions. Bill has extensive…

Bill is widely recognized as an accomplished and successful trial attorney. He has substantial experience with matters involving environmental law, mass torts, class actions, defense of enforcement actions by federal and state agencies, and insurance coverage and cost recovery actions. Bill has extensive experience trying and winning cases involving complex, scientific issues in civil and criminal trials in federal and state courts, administrative hearings, and arbitrations throughout the country.

Photo of Sara Simrall Rorer Sara Simrall Rorer

Sara’s health care law practice includes advising physician and institutional clients regarding Medicare and Medicaid compliance; Medicare appeals; peer review and credentialing; hospital bylaws and regulations development; managed care provider contracting; physician-hospital joint ventures and other contractual arrangements; clinical trials and medical research…

Sara’s health care law practice includes advising physician and institutional clients regarding Medicare and Medicaid compliance; Medicare appeals; peer review and credentialing; hospital bylaws and regulations development; managed care provider contracting; physician-hospital joint ventures and other contractual arrangements; clinical trials and medical research (including FDA enforcement actions), HIPAA and state patient privacy laws and (including compliance plans and OCR enforcement actions).