Healthcare providers may not be aware that HIPAA requires access to health records, in addition to protecting data from breaches. Remember that the HIPAA Security Rule is designed to protect the Confidentiality, Integrity, and Availability (CIA) of health information. When we think of HIPAA, we usually think about confidentiality and pay little attention to access. This oversight could be costly for providers.
Unfortunately, healthcare is a perfect target for ransomware, which is designed to deny access to data. Ransomware works by secretly encrypting data, making it unreadable by the provider. To regain access to the data, the provider must pay hackers for a password to unlock the data.
It’s a bit like coming home to discover that thieves have changed all the locks on your house. The thieves taunt you from your roof: If you want the new keys, you’ve got to give them all your cash.
Of course, in the real world, you would simply call the police, or possibly throw rocks. But in the world of cybercrime, the thieves are somewhere in Ukraine or Nigeria, and instead of cash, they demand Bitcoin, which cannot be traced.
Sadly, for healthcare providers, the situation is even worse, because losing access to health records is a HIPAA violation. It does not matter that the provider was the victim of a cybercriminal. The provider has the responsibility to maintain access to those records, and federal regulations allow no excuses for failure.
So it’s like the thieves change your locks and run off with your cash, but when the police show up, they arrest you!
The bad news is that ransomware attacks are only increasing, and many new forms of ransomware are appearing. A couple of years ago, a nasty bit of ransomware called CryptoLocker made international news. Now that CryptoLocker has been tamed, new ransomware such as CryptoWall is proliferating through cyberspace.
So what can be done? The good news is that the best defense against ransomware is not sophisticated software or IT support. Rather, your best defense is HIPAA training and awareness. Ransomware usually infects computers through phishing email attacks. In other words, a staff member receives a deceptive email that tricks them into clicking on a link or attachment, and ransomware infects the network.
Basic training on data security can thwart most phishing attacks, because savvy computer users do not click on links or attachments in emails from sources they do not recognize and trust. Considering that regular training on health privacy is a core HIPAA requirement anyway, ensuring that all staff have completed training on at least an annual schedule is a no-brainer–it is important for compliance, and it protects your practice.
Good cyber-defenses also play a role. To be sure, every practice should have a robust firewall and anti-malware protection in place. These are also HIPAA requirements. Strong security software can detect and quarantine malware before it corrupts every computer on the network.
Many providers would also benefit by moving to the cloud. The cloud allows for economies of scale, so dedicated security experts that would never otherwise be available to help an individual practice can intervene when malware strikes. Moreover, cloud services can close the window on mischief by simply dumping the data of local computers that have been corrupted. And the cloud can be strict about applications, allowing only authorized programs to run, rather than trying to play catch-up after the damage has begun.
Many providers remain easy targets for ransomware attacks, and they may not realize that falling prey could expose them to the double-whammy of cybercrime and government penalties. But training and diligence can prevent disaster before it strikes.