When your screen locks up with a ransomware screen, the emotions kick in. Actually panic kicks in. Where is my data? Do I have a good back up? What is my first appointment tomorrow? Who owes money? Of course the focus becomes recovering and restoring the data.
It is not a matter of IF you will have a data breach, it is a matter of WHEN you will have a data breach. Recently several healthcare entities including a dentist found out the hard way that it is not enough to simply restore your data when a practice has a ransomware attack
Last week 180,000 records including 3496 from a dental practice were released on the dark web. The bad guy or bad actor as they are referred to, made good on his threat to publish the data because the practice did not meet his demands. So far nine entities including a dental practice have been identified by OFFICE OF CIVIL RIGHTS (OCR) and out of those nine none of them had reported that they had had a breach.
The Office of Civil Rights has released a guide on ransomware and emphasizes the fact that a ransomware or any threat to electronic Protected Health Information (ePHI) or data is a breach and is subject to the HIPAA Breach Requirement. A breach is defined as: “the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information.” 45 C.F.R. 164.402” When there is a ransomware attack a breach has occurred because the Protected Health Information is no longer under the practice’s control and has been accessed and or acquired by an unauthorized person.
The Office of Civil Rights and other government agencies monitor the dark web, so when there is a dump of records, they are usually on top of it. They know that a data breach is going to happen. When practices are compliant to the HIPAA HITECH Privacy and Security Rule 45 C.F.R. 160 and 164 OFFICE OF CIVIL RIGHTS (OCR) will usually work with them and the penalties are minimal. However, when a practice fails to adhere to the rule, is when the penalties and fines kick in and they can be steep.
Being prepared for a potential situation is the best option to lower the stress levels when event occurs.
In 2016, we saw a record number of cyber attacks against healthcare facilities and yes this did include private practices. We also saw HHS levy over 25 million dollars in fines as a result of data breaches.
The New Year is a time for new starts and resolutions. This would be a great time to implement a good security program in your practice.