Ransomware – Are you ready?


When your screen locks up with a ransomware screen, the emotions kick in. Actually panic kicks in. Where is my data? Do I have a good back up? What is my first appointment tomorrow? Who owes money? Of course the focus becomes recovering and restoring the data.

It is not a matter of IF you will have a data breach, it is a matter of WHEN you will have a data breach. Recently several healthcare entities including a dentist found out the hard way that it is not enough to simply restore your data when a practice has a ransomware attack

Last week 180,000 records including 3496 from a dental practice were released on the dark web. The bad guy or bad actor as they are referred to, made good on his threat to publish the data because the practice did not meet his demands. So far nine entities including a dental practice have been identified by OFFICE OF CIVIL RIGHTS (OCR) and out of those nine none of them had reported that they had had a breach.

The Office of Civil Rights has released a guide on ransomware and emphasizes the fact that a ransomware or any threat to electronic Protected Health Information (ePHI) or data is a breach and is subject to the HIPAA Breach Requirement. A breach is defined as: “the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information.” 45 C.F.R. 164.402” When there is a ransomware attack a breach has occurred because the Protected Health Information is no longer under the practice’s control and has been accessed and or acquired by an unauthorized person.

The Office of Civil Rights and other government agencies monitor the dark web, so when there is a dump of records, they are usually on top of it. They know that a data breach is going to happen. When practices are compliant to the HIPAA HITECH Privacy and Security Rule 45 C.F.R. 160 and 164 OFFICE OF CIVIL RIGHTS (OCR) will usually work with them and the penalties are minimal. However, when a practice fails to adhere to the rule, is when the penalties and fines kick in and they can be steep.

Being prepared for a potential situation is the best option to lower the stress levels when event occurs.

  • • Conduct an accurate risk analyses
  • • Establish a security management plan
  • • Create written security practices for your practice
  • • Maintain a backup policy that includes full system
Handling a data breach can be an emotional rollercoaster. But it doesn’t have to be. When a breach occurs, it is best to consult a third-party professional as well as your IT to assist your investigation, breach procedures, recovery and restoration. By securing and preparing your practice today you can be ready when it happens tomorrow. It is not enough to simply recover your data. As a healthcare practitioner you must adhere to the HIPAA HITECH Privacy and Security Rule. Just because you recover your data does not mean that you will recover from an Office of Civil Rights (OCR) investigation.

Happy New Year!


In 2016, we saw a record number of cyber attacks against healthcare facilities and yes this did include private practices. We also saw HHS levy over 25 million dollars in fines as a result of data breaches.

The New Year is a time for new starts and resolutions. This would be a great time to implement a good security program in your practice.

To Get Started:

Change passwords – Using the same password for long periods of time can result in a vulnerable situation especially if you have had staff leave in 2016. Now is a good time to change the password on your network and to have each team member change their password for your practice management.

Test your onsite and offsite back up. Make sure that your data is being backed up properly. Also consider making a full system back up on a weekly basis and hold it in a secured place. Dust off those computers. Frequently when I go into offices, the backs of work stations are covered with dust. That dust is sucked into the computer and can lessen the life of the computer.

Check all computers to make sure that all operating system security patches and antivirus programs are up to date.

Review your vendors and your Business Associates Agreements. – You should have a BAA or contract with any vendor that creates, stores, views, or transmit your data. This includes your IT Company, claims processing company, billing company, practice management etc. Review your security manual – make sure your security policies and procedures are current and relevant for your practice.

Schedule your Annual Risk Analysis – In accordance with the HIPAA HITECH Omnibus Rule 45 C.F.R § 164.308(a)(1)(ii)(A).5 A Risk Assessment helps to show areas where ePHI may be vulnerable and at risk.

Schedule your Annual HIPAA Security Training