Does your HIPAA Compliance Plan address what to do during an emergency such as a ransomware attack or a hacker gaining access to your network?
With Hackers becoming more aggressive in their attempts to gain access to health care information, using ransomware and other cyber-attacks, it is crucial that health care organizations create and implement an Emergency Mode Operations Plan, Disaster Recovery Plan, and Data Backup Plan as part of their overall HIPAA Compliance Plan.
The Emergency Mode Operation Plan, Disaster Recovery Plan, and Data Backup Plan are all required implementation specifications in HIPAA. Having these plans, practices, and systems in place before a breach could save you from having to pay a hefty ransom to a hacker to regain the protected health information stolen. If all of the information you are responsible for is backed up, then you won’t have to negotiate with the hacker. You will still have to report the breach to the Office for Civil Rights (OCR) and the FBI, but at least you shouldn’t have to add losing a substantial amount of money, and possibly even your practice, to that list.
Now, more than ever, is a great time to review your HIPAA Compliance Plan and update your implementation methods or create plans if you haven’t done so already. To create your plans, start by determining how your organization will handle an emergency such as a ransomware attack or a hacker gaining access to your network; this can include how you will continue daily operations if your network is locked down due to the attack. Answer questions like: will we notify the police or FBI? Will we hire a forensic company to investigate the situation?
Next, determine how you will recover after the situation is handled. Are there specific systems you will need to bring back up first, to handle patient care? Did you lose anything during the downtime? This brings you to another crucial security practice: data backup. You should always have a recent, exact copy of your health care information. If you are targeted by ransomware, you should be able to maintain your business if you have that backup easily accessible.
If you’re wavering on the importance of these plans, keep in mind that the health care industry is currently the No. 1 target for cyber-attacks . And, based on information provided by the OCR’s Breach site, almost triple the number of hacker/IT breaches were reported in September and October of 2016 compared to the same months last year. Plus, there are about 40 percent more reported, hacker/IT breaches thus far in 2016 than there were in 2015 during the same time period. Protecting PHI from Hackers and ransomware attacks should be a top priority for all health care organizations.
As ransomware continues to plague the health care industry, organizations have to be vigilant. A couple months ago, the Urgent Care Clinic of Oxford reported that hackers had gained access to protected health information and held the PHI for ransom. While they did eventually regain access to the information, they do not know how many patients have been or will be affected, and they don’t know what all information the hackers still have. Proper preparation may have saved this clinic from the serious financial consequences that result from a breach like this: paying the hacker, paying for year-long credit checks for patients, paying any fines they may accrue, and paying for any other damages that could occur because of the breach.
This is one of many examples showing why it is so important that all health care organizations prepare for what could happen, rather than assuming it won’t happen to them. Ready to better protect your organization? To get more in-depth direction for creating the Emergency Mode Operation Plan, Disaster Recovery Plan, and Data Backup Plan, and for help with other HIPAA documentation, join the many users already using HIPAAgps to develop their HIPAA Compliance Plan.