July 17, 2025
When something goes wrong in long-term
care, we know how to stay calm and act fast. But when the crisis is digital, a
ransomware attack or a data breach, do we have the same kind of plan? That's
where an incident response plan (IRP) comes in.
A good IRP protects more than just
files—it protects people. It ensures that if something suspicious happens, your
staff knows who to notify, what to shut down, and how to keep resident care
going safely. It also helps meet essential requirements. Many cyber liability
insurance policies require facilities to maintain an IRP—and show proof of
testing it—before they'll cover breach-related costs.
According to NIST, organizations with a
documented and tested incident response plan reduce recovery costs by more than
50% and restore services significantly faster.
So, what does an LTC-specific plan
include? At minimum:
- Clear roles: Who's in charge of communication, investigation, reporting, and IT containment?
- Communication procedures: How do you notify staff, families, vendors, and regulators?
- Response checklists: What should nursing do? What should admin shut down?
- Timeline for reporting: HIPAA requires breach reporting within 60 days, and Ohio mandates immediate notification for serious events.
- Recovery actions: How do you restore backups and services without compromising care?
- Post-incident review: What did we learn, and how do we adjust?
Facilities that test their plans
regularly—using tabletop exercises—often discover gaps they didn't know
existed. Missing contact lists, unclear steps, or outdated tools can all be
corrected before a real-world crisis hits. Tabletop drills also provide staff
with an opportunity to practice calmly, ask questions, and learn without
pressure.
In Ohio, your IRP is often a component of
your Written Information Security Program (WISP)—a master document that
outlines your entire data protection approach. If you have a WISP and use it
consistently, it can even serve as a legal defense in civil litigation
following a data breach. It shows you took steps to protect resident data and
acted in good faith.
A skilled nursing facility near
Cincinnati created its IRP with help from its MSP and compliance officer. Twice
a year, they practiced cyber drills and updated staff roles. When a real
phishing attack targeted their business office, their training kicked in. IT
was alerted within minutes, the email server was secured, and no resident data
was lost.
"Plans
are worthless, but planning is everything." - Dwight D. Eisenhower (quoted in HHS
Cybersecurity Guidelines)
Contrast that with a memory care facility
in Northeast Ohio. When an employee's laptop was stolen from a car, no one knew
who to notify. The device wasn't encrypted. It took days to realize the extent
of the data exposure—long enough for resident info to hit the dark web. The
result? A $70,000 OCR fine and a painful audit.
"You
can't predict, but you can prepare." - Atul Gawande
Here's the hard truth: incidents will
happen. But the damage depends on how prepared you are.
So if a breach happened at 2 AM tonight,
would your staff know what to do?
Learn more about Affiliated's healthcare-specific IT Support and
Services in Columbus and the Central Ohio areas by clicking here.
