Ransomware, What Do I Need to Know to Protect My Practice?
Is Ransomware as Scary as People Make It Seem?
Ransomware is scary for those who are unprepared. We have had clients that are completely shut down after a ransomware attack. Others who have had a HIPAA breach. It is stressful, time-consuming and can be expensive if you are not prepared.
What is Ransomware?
Ransomware is when a hacker breaks into your network and either steals or locks your data, so you have no access to it. You will see usually a black screen with the ransom request offering to return or unlock the data for a fee. When payment is made generally the data is never returned. Patient encounters, patient demographics, billing accounts, ALL data gone.
Does HIPAA Apply?
Yes, HIPPA Security Rule requires you to safeguard against Ransomware attacks, have a response plan in case you are a victim of Ransomware and have a method to be able to detect unwanted users. It is not optional to protect your practice from attacks like ransomware.
What Do I Need to Do to Protect My Practice?
Prevent Entry. Keep everyone out. When you think digital security think “digital door locks.” Your goal is to keep people out of your information system. First, complex passwords that use 12 characters numbers, letter, and no phrases or words. Only practice owned devices should connect to the practice Wi-Fi. Use protection software such as anti-virus to help safeguard your data.
What Happens If Someone Gets In?
If you have been hacked, you must have a plan in place to mitigate damage. Determine how they got in and how to prevent it in the future. Determine if there is a HIPAA breach and follow breach notification protocols. Then you must clean up after the hackers. Be sure all traces of the virus are gone, and your system has been wiped clean
If your data is ALL encrypted, then there is no breach. This is because EHR software has made the data inaccessible with encryption. Make it a policy in your practice that ALL data is housed inside the EHR or an encrypted folder. When scanning documents to store inside a patient’s EHR file scan directly into your software system. Do not scan documents to the hard drive of the machine and then bring them into the EHR.
Have a daily verified off-site back up. This will allow you to restore your own data and not have to pay the ransom. But please make sure you verify the data by periodically checking to be sure the data can be retrieved and accessed.
Train Staff
Often viruses are downloaded because someone in the practice has clicked on something that contains a virus. Do not click through warnings as virus are often downloaded and a warning will appear. These viruses are often in emails that look like they are from a legit company but if you read email addresses carefully you will see they are not official.
Use a Good IT Company
IT Support is the key to good security. They are trained on the latest technology and some IT companies can opt to be HIPAA certified. IT companies offer services like monitoring, software updates and windows/apple updates. Make sure all computers are running supported software as it is a HIPAA violation to run on unsupported machines.
Business Associates
Many covered entities will use vendors that will need access to PHI and they must sign a Business Agreement. These agreements make the vendor responsible for safeguarding your patient’s PHI. Remember these agreements make them responsible too; it does NOT remove your responsibility.
Be prepared. With a few policies, your office can feel safe that you a digitally locked and protected from Ransomware. For more peace of mind, Breakthrough Coaching has an updated security and compliance plan.
