When your computer locks up with a ransomware screen, the emotions kick in. Actually panic kicks in. Where is my data? Do I have a good back up? What is my first appointment tomorrow? Who owes money? Of course the focus quickly becomes recovering and restoring the data.
It is not a matter of IF you will have a data breach, it is a matter of WHEN you will have a data breach. Recently several healthcare entities including a dentist found out the hard way that it is not enough to simply restore your data when a practice has a ransomware attack.
Last week 180,000 records including 3496 from a dental practice were released on the dark web. The bad guy or bad actor as they are referred to, made good on his threat to publish the data because the practice did not meet his demands. So far nine entities including a dental practice have been identified by OFFICE OF CIVIL RIGHTS (OCR) and out of those nine none of them had reported that they had had a breach.
The Office of Civil Rights has released a guide on ransomware and emphasizes the fact that a ransomware or any threat to electronic Protected Health Information (ePHI) or data is a breach and is subject to the HIPAA Breach Requirement. A breach is defined as: “the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information.” 45 C.F.R. 164.402” When there is a ransomware attack a breach has occurred because the Protected Health Information is no longer under the practice’s control and has been accessed and or acquired by an unauthorized person.
The Office of Civil Rights and other government agencies monitor the dark web, so when there is a dump of records, they are usually on top of it. They know that a data breach is going to happen. When practices are compliant to the HIPAA HITECH Privacy and Security Rule 45 C.F.R. 160 and 164 OFFICE OF CIVIL RIGHTS (OCR) will usually work with them and the penalties are minimal. However, when a practice fails to adhere to the rule, is when the penalties and fines kick in and they can be steep.
Being prepared for a potential situation is the best option to lower the stress levels when event occurs.
- Conduct an accurate risk analyses
- Establish a security management plan
- Create written security practices for your practice
- Maintain a backup policy that includes full system
Handling a data breach can be an emotional rollercoaster. But it doesn’t have to be. When a breach occurs, it is best to consult a third-party professional as well as your IT to assist your investigation, breach procedures, recovery and restoration. By securing and preparing your practice today you can be ready when it happens tomorrow. It is not enough to simply recover your data. As a healthcare practitioner you must adhere to the HIPAA HITECH Privacy and Security Rule. Just because you recover your data does not mean that you will recover from an Office of Civil Rights (OCR) investigation.
Debi Carr is a Security and HIPAA Compliance Consultant with D K Carr and Associates, LLC. She can be reached at (844) 352-2771 or firstname.lastname@example.org