Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

§164.308(a)(7) Contingency Planning: Keeping Clinical Operations Running Through a Cyberattack

When a cyberattack takes down imaging systems and forces patient transfers, the failure is clinical—here's the contingency-planning discipline that limits that damage.

Patient Protect ResearchMay 4, 2026First reported in HIPAA Pulse →

The control gap

Imaging-system downtime is one of the most clinically destabilizing security failures a small hospital or independent practice can experience. When a network compromise reaches diagnostic infrastructure, care decisions get made without the most common imaging input—and emergency patients who need time-sensitive diagnostics must be transferred elsewhere, at clinical and operational cost. The Minidoka Memorial Hospital incident, first reported in HIPAA Pulse, illustrates exactly this pattern: imaging services were among the first systems lost, emergency transfers followed, and restoration stretched across nearly two weeks. First reported in HIPAA Pulse → https://hipaapulse.com/minidoka-memorial-hospital-cyberattack-disrupts-imaging-services-and-forces-patient-transfers-on-29c650c0

The control gap isn't just technical—it's procedural. Most small and mid-size practices lack tested downtime procedures, verified backup and recovery protocols, and a documented incident response authority chain. When the attack arrives, improvisation replaces procedure, and improvisation is slow.

The HIPAA Security Rule provision in play

45 CFR §164.308(a)(7) — the Contingency Plan standard — requires covered entities to establish and implement policies for responding to emergencies that damage systems containing ePHI. It has five required implementation specifications:

  • (i) Data Backup Plan — retrievable exact copies of ePHI
  • (ii) Disaster Recovery Plan — restore lost data
  • (iii) Emergency Mode Operation Plan — continue critical business processes during an emergency
  • (iv) Testing and Revision Procedures — periodic testing of contingency plans
  • (v) Applications and Data Criticality Analysis — prioritize restoration of systems by clinical impact

Imaging systems would typically rank as high-criticality under (v). When they go offline without a tested recovery path, the spec has effectively failed in practice regardless of what the policy document says.

How Patient Protect addresses this

  • Security Risk Assessment (SRA): Surfaces gaps in contingency planning before an incident occurs, including whether backup procedures are documented and tested. An undated or incomplete SRA is itself an OCR liability.
  • Information Systems Inventory: Catalogs clinical and administrative systems so practices can perform a data criticality analysis—knowing which systems need fastest restoration is the prerequisite for any recovery plan.
  • Policy Generation: Produces HIPAA-compliant downtime procedure documentation, emergency mode operation plans, and disaster recovery policies that satisfy §164.308(a)(7)'s written-plan requirements.
  • Autonomous Compliance Engine: Continuously recalculates compliance posture as your environment changes, flagging contingency-plan gaps without waiting for an annual review cycle.
  • Compliance Scoreboard: Gives practice administrators a real-time view of where contingency and operational continuity controls stand—before a regulator asks.

Practical next steps

  • Test your downtime procedures on paper this week. Walk through how your staff would document a visit, schedule a referral, and communicate with a patient if every screen went dark. If the answer is "we'd figure it out," you don't have a plan.
  • Confirm offline or immutable backups exist for ePHI and critical system configurations. Backups that live on the same network segment as the systems they protect offer limited protection in a ransomware event.
  • Document your breach notification clock ownership. The HIPAA 60-day notification window (§164.404) runs from discovery, not containment. Assign someone now to start that clock the moment an incident is identified.
  • Verify BAAs are current for every imaging and diagnostic vendor. A third-party imaging service with no current BAA is both a legal gap and an unassessed risk vector.
  • Complete or update your SRA. OCR's investigation of any breach complaint begins with the risk analysis—an incomplete analysis compounds liability beyond the incident itself.

Try Patient Protect

  • Start a free trial at hipaa-port.com → https://hipaa-port.com
  • Run a free Security Risk Assessment at patient-protect.com/risk-assessment → https://patient-protect.com/risk-assessment

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/minidoka-memorial-hospital-cyberattack-disrupts-imaging-services-and-forces-patient-transfers-on-29c650c0