Recently a healthcare practice was attacked with ransomware. Their IT service provider said he had backed up all of their data offsite, and it wouldn’t be an issue if their stolen data were destroyed, so the practice decided not to pay the fee to get their data back. Unfortunately, their service provider’s backup solution did not work. They lost four years of personal health information and office information. This rated as a total data disaster for the business.
In another case, a neurosurgeon’s practice was attacked by malware. An investigation determined that this was a large enough data breach that the practice had to inform the media and bring in the FBI. The practice was in the news for weeks and spent about a million dollars to clean up the mess.
These practices were likely overdue for a thorough consultation with their IT service providers about security and backup. Often, practices do not know how to enact security and backup systems and processes on their own. Here are some relevant and timely discussion points.
Are you taking the right steps to protect your practice and your patients?
The United States government defines ransomware as “a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.” The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. Since patient data is unlawfully obtained through a ransomware infection, you are liable to inform the government and your patients of the security breach.
On July 11, 2016, the DHHS Office of Civil Rights issued a Fact Sheet stating that the simple act of encryption, regardless of exfiltration, is presumed to be a breach because it is an “acquisition” of ePHI (electronic protected health information) and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule. So, even if you’re struck by ransomware and you recover your data, you still have to report the breach to the government, and possibly even the media.
Protect Your Practice, Protect Your Patients
All healthcare providers must develop IT security & data recovery plans and implement a security management process against threats. Moving forward, even the presence of malware may be a reportable breach. This means that the medical practice would have to inform their customers if PHI could have been compromised, and if over 500 health records were involved, then the practice has to tell the media.
Employee Education: Be careful what you click on
The majority of ransomware incidents (which can bring down an entire network) are a result of an employee clicking on suspicious email attachments. Coach employees to ask themselves, in every instance:
- Do I know who is sending me the email?
- Is the email from the right email address?
- Am I checking my personal email on my work PC?
Preventative Security Services Are “Vaccines” for Your Business
You must protect personal healthcare information by ensuring you have a multilayered approach to security protocols. This means having security applied at many points in your IT stack, and between the internet and end point devices.
- Do you have a recommended and managed anti-malware service?
- Do you have a recommended and managed anti-virus service?
- Have you deployed a web filtering service to prevent users from inadvertently clicking on suspicious links?
- Are your organization’s email attachments being inspected by a ransomware detection service? A prime example is Microsoft’s Advanced Threat Protection, which protects against zero-day attacks hidden in attachments. Scantron includes this service for all affianceSUITE™ customers.
Backup and Recovery Requirements
Implementing a data backup plan is a Security Rule requirement for HIPAA-covered entities and business associates as part of maintaining an overall contingency plan. Some questions to guide a practice in evaluating an IT service provider’s proposed backup solution:
- Does your disaster recovery solution include backup, replication, or both?
- How frequently do you check your backups to ensure they work?
- How many restore points are available, and at what intervals?
- How fast can you retrieve your data from your backup instances?
- Do you have a local failover plan in conjunction with an offsite encrypted backup?
Backups are “snapshots” of an entire system taken periodically, and you can have unlimited backups. If a backup process does not allow you to restore your environment to multiple restore points in the past, it’s not a true backup solution. Many organizations lack this ability. We see it frequently when we do network assessments.
Replication is copying the most critical data as changes occur, in real time or near-real time, to enable business continuity. It can be costly but may be worth it for mission critical systems and data. Both backup and replication are useful components of a disaster recovery solution.
Scantron Technology Solutions has helped over 2,500 physician practices develop their IT security protocol and business continuity plans to meet the requirements that
the US government has mandated for healthcare providers.
Download a free PDF from the Department of Health and Human Services that goes into detail on data threats and the responsibility of organizations who handle PHI.