The 2017 news was replete with stories announcing ransomware attacks on health IT systems across the country. In January, AllScripts, an EHR company, was the victim of the SamSam variant of ransomware leaving many of its hosted healthcare providers without access to patient records, prescription services and other applications for several days. Cybersecurity specialists anticipate increased and more sophisticated ransomware attacks in the healthcare industry in 2018.
Ransomware is a form of malware deployed for the purpose of preventing access to data. Typically, access is restricted through encryption and is reinstated upon payment of Bitcoin. The January 2018 OCR Cybersecurity Newsletter provides guidance in preventing cyber extortion. However, if you are a victim, HIPAA has specific requirements for responding.
- Time: HIPAA requires notice of breach of more than 500 persons within at least 60 days of discovery. The Office of Civil Rights ("OCR") considers that the time of discovery begins when the incident is first known, not when the investigation is complete.
- Document: Maintaining good documentation is critical. Much of this is required by HIPAA and will be needed in the event of OCR investigation.
- Incident Response Team: Alert the incident response team which may include legal counsel, forensic analysts, cyber-insurer, public relations firm, mass mailer, and credit monitoring services. Be familiar with cyber-insurance coverage requirements.
- Contingency Plan: Consider time and expense of restoration from a recent backup, if feasible. The plan may include an account holding Bitcoin. It has been reported that Hancock Health, also a recent SamSam victim, determined that paying the ransom was more cost-effective and timely than manually restoring the system from back-up.
- Mitigation: Initiate mitigation efforts locally and verify that Vendor has taken steps to identify, correct and contain or remove the intruder or intruders. Even if evicted by the Vendor, verify that there was no intrusion prior to the ransomware incident during which data may have been destroyed, copied or removed. This may occur well prior to introduction of the ransomware and was the cause of a breach reported by Peachtree Neurological Clinic in Atlanta.
- Forensic Investigation: Initiate an independent forensic examination, if necessary; request forensic information from the Vendor. This will also be needed to assess the number of affected persons and the specific PHI at risk.
- Breach Risk Assessment: Initiate breach risk assessment to determine if there is a low risk to the PHI. OCR considers ransomware an unauthorized access if the ePHI has been encrypted. A Breach is presumed if there is unauthorized access, use or disclosure but notice may not be required if risk to the PHI is determined to be low.
- Notice: If more than 500 persons are affected, notice must be mailed to the affected persons, made on the OCR Breach Portal and to prominent media outlets in the State or jurisdiction, and possibly posted on your website for 90 days.
- State Notice Requirements: Assess need and requirements for providing notice under state breach laws.
Beth Pittman serves as council to Waller, Lansden, Dortch & Davis LLP.