There is a lot of great information in Ep 308 – Maturity Model Matters of the The Help Me With HIPAA podcast, and we hope you take away a lot of knowledge. BUT, if you only take one thing away from this episode, know how to correctly spell HIPAA – that’s it is spelled with only ONE P, not TWO! Trust me, there is way more in this episode. But, it is funny to listen to Donna and David get so aggravated at how some people spell HIPAA.
In the episode, Donna and David give an update to the Scripps Health ransomware attack that happened in early May 2021, but more importantly they actually remind us how important it is to have a plan for these types of attacks. It is critical to not just have a plan, but make sure that the entire staff knows there IS a plan. Many times only a small group of employees are involved in creating the plan, which is fine. But once the plan is created, make sure everyone knows there is a plan. Granted not everyone needs to memorize the plan, but they do need to know the parts that pertain to their roles in executing the plan – whether it be how they are to communicate with patients during an incident or whether they have a role in carrying out the investigation.
Another great lesson to take away from the Scripps Health attack is that it can take way more than just a week or two to get everything back up and running. In your incident response plans, you need to address how you are going to operate without your equipment for at least a month. Two weeks is no longer the norm and it is most likely going to get longer. So, how mature is your Incident Response Plan?
And speaking of maturity, Donna and David introduced us to the Cybersecurity Maturity Model Certification (CMMC) in this episode. CMMC is a certification for defense contractors that is setting unified standards for cybersecurity programs across the Defense Industrial Base. The use of this model is being discussed all over the cybersecurity world because it breaks controls into levels so you can see what implementation level or maturity level a program is at any given moment. Why is the DoD requiring this? The government wants to know that its supply chain can adequately protect sensitive information that they are entrusted with. Does this sound familiar? Listen to Maturity Model Matters – Ep 308 to learn more about this CMMC and how its concepts can be applied to HIPAA. Oh, and get ready for a lot more information on this in future episodes.