Recent ransomware attacks illustrate the importance of compliance with the HIPAA required and addressable security standards. In its December 2, 2019 Fall 2019 Cybersecurity Newsletter, the Office of Civil Rights (OCR) discussed ransomware attacks and ways to recognize, prevent, mitigate and recover from an attack.
HIPAA requires both covered entities and business associates to conduct a risk analysis of the potential risks and vulnerabilities to the security of electronic Protected Health Information (ePHI) and to implement a corrective action plan to eliminate or reduce those risks and vulnerabilities. According to the OCR, these risk analyses are critical to preventing ransomware attacks because ransomware takes advantage of technical vulnerabilities. HIPAA also requires an effective procedure for information system activity review. This enables the covered entity or business associate to identify unusual activity and quickly identify an attack. The information system review should include procedures, such as audit logs, incident and breach tracking reports, and reports on system access.
In a recent situation, a company that provides information technology services to dental practices was hit with a ransomware attack. Because the company had access to the information technology systems of its customers, the dental practices were also impacted by the ransomware attack. Those affected dental practices without strong data backup have been unable to access their data, including patient records. In some cases, this has resulted in a shutdown of the practice.
The effect of the ransomware attack on the dental practices would have been eliminated or significantly reduced had the dentists had an effective data backup plan. HIPAA requires both covered entities and business associates to develop and implement a Contingency Plan, including the establishment of policies and procedures to respond to emergencies, such as a cybersecurity attack, computer virus, system failure, power outages, fire or water damage or a natural disaster, that could impact information technology systems that contain (ePHI).
The Contingency Plan should, at a minimum, include (i) an emergency mode operation plan to ensure that all critical business processes are protected and secure when operating in emergency mode; (ii) a data backup plan to ensure that all ePHI is readily available and that exact copies of the information are retrievable; and (iii) a disaster recovery plan to ensure that any lost data can be restored. Each of these are specifically required by HIPAA regulations. In addition, HIPAA recommends, through addressable rather than required standards, that the Contingency Plan include (i) procedures for periodic testing, evaluation and revision of the Contingency Plan, and (ii) procedures for assessment of the relative criticality of specific applications and data which support other aspects of the Contingency Plan components.
Strong HIPAA security safeguards can be invaluable in the event of a cybersecurity or ransomware attack, both in preventing the attack and reducing its impact.