Recently, we had a practice contact us as one of their vendors had been hit with a ransom attack which also encrypted the devices within their practice. The vendor told the doctor that he did not need to take any action as the vendor was going to pay the ransom, get the encryption key, and the practice should be back up and running in a few hours. UMM, its not always that easy.
Threat Actors or hackers are in business to make money and they will go to great lengths to accomplish that goal. I was recently contacted by someone whose position requires them to “surf” the dark web. While surfing one day, he found that data from a dental practice was “for sale”. The advertisement noted that the data was exfiltrated from a dental practice who chose not to pay, so the information was now for sale. This person took the extra steps of researching the practice and found that the practice had not followed the requirements of HIPAA and the state they are in – in other words the practice chose to not pay and not to take any actions to notify their patients. It is the patients that will pay for this negligence.
HIPAA is very clear that when a patient’s information is accessed or compromised that patients need to be notified so that the patient can take the necessary steps to protect themselves. Identity theft is on the rise and practices failing to report these data breaches are a contributing factor.
Practice are required to have a process for responding to and the handling of a data breach. This plan should include conducting a forensic investigation by a certified forensic investigator to determine the extent of the breach and notifying patients that their data may have been compromised.
Cyber-attacks are going to continue, and the best defense is to have security controls in place BEFORE such an event occurs.