Don't Let HIPAA Audits, Ransomware Sink Your Practice

At the same time medical practices are faced with the increased likelihood of a HIPAA audit, hackers hover around waiting to steal patients’ personal data and/or hold it hostage through ransomware scams. These practices could easily sink in the perfect storm created by the confluence of these twin threats - especially if they are weighed down with tens of thousands of unsecured patients' records.

Though they may have ignored earlier warning signs, medical practices should not be surprised by the escalating risk of being saddled with a HIPAA compliance audit. During the 2011 Phase 1 round of audits, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) found a significant percentage of medical entities had not performed a comprehensive security risk assessment.

On top of that, the Office of the Inspector General criticized OCR for not investigating a sufficient number of small data breaches or tracking all healthcare organizations found to be violating federal privacy laws -criticisms that could prompt stricter enforcement and steeper fines.

OCR is in the process of sending tens of thousands of emails to collect contact information on data security officers in medical facilities. While not all small practices may be subject to a review, the price for failing a HIPAA audit is steep. Earlier in 2016, OCR received two multimillion-dollar settlements from providers whose unencrypted laptops had been stolen. More than that, those practices could lose patients who are fearful about the potential theft of their personal information.

Concurrently, 2016 holds the dubious distinction of being named the "Year of Ransomware," by everyone from obscure cybersecurity bloggers to mainstream media commentators at the Los Angeles Times and CNN. The uptick in ransomware scams -estimated to have risen 35 percent in 2015 -is partly attributed to the fact that it's now easier for hackers to earn money by holding data hostage than by selling it on the black market.  

In February, computers at Hollywood Presbyterian Medical Center in Los Angeles were shut down by hackers who held them hostage for ten days. This forced staffers to keep records with pen and paper until the hospital paid $17,000 in ransom via Bitcoin.

Hospitals and medical offices, offer a rich target for cybercriminals because of all their up-to-date personal information on patients. As HIPAA auditors noted, many medical entities do not often take rudimentary protective measures, like security risk assessments or staff training programs.

Hackers Don’t Care About Your Medical History

During HIPAA's infancy in the 1990s, medical personnel were often most concerned about the need to protect information on diagnoses and treatments but hackers today are far more interested in stealing Social Security numbers, credit card data, and the protected health information (PHI) routinely provided in medical settings.

To begin thwarting hackers, medical practices need to conduct a security risk analysis (SRA) -a process that will also fulfill the mandates of the Security Rule, one of the linchpins of HIPAA compliance.

To complete the SRA, medical practices must identify all locations where sensitive patient data is stored, the likely risks for that data being lost or stolen, and the measures for reducing those risks.

Can your staff protect your data from falling into the wrong hands?

When employees are not trained to recognize phony phishing scams, they could click on emails or links that enable hackers to install ransomware. Ransomware encrypts or locks all the files on a computer and could spread to other computers in a network. Phishing emails are getting harder to spot and criminals are using sophisticated methods of tricking employees into being ransomware victims

Medical practices must also be on guard for employees hired who come and go because they could steal PHI and use it to commit financial fraud. As a precaution, employees should receive only minimal access to EHRs.  Employee training programs will not only minimize data theft, but also warn staffers about the severe consequences of pirating PHI.

While most practices are diligent about backing up their systems, they should make the effort to test the backup and restore process. If they wait until after a ransomware attack to perform the test for the first time, they could run into unforeseen complications. This includes the horrifying realization that not all of their data has been backed up and their only hope is paying the ransom to free their data. 

Practices have tens of thousands of valuable medical records in their possession. Even small practices with just a couple of physicians may store up to 50,000 patient records.

These assets are increasingly under attack from ransomware and other nefarious activities.  Fortunately, the HIPAA statutes provide guidance on what needs to be done, starting with a proper SRA.  It's not the only measure required for HIPAA Security Rule compliance, but it is the best place to start.

In order to be HIPAA compliant and to protect against ransomware:

• You need to understand your risks and take steps to lower them

• You need to train your employees on protecting patient information and identifying phishing scams that lead to ransomware

• You need to ensure that employees have the minimal amount of access to data to perform their job (for compliance and minimizing the impact of ransomware)

• You need to back up your data and regularly test the backups to ensure recovery (for compliance and recovering from ransomware).

Art Gross is the president and CEO of HIPAA Secure Now!, which provides risk assessment, training and other security services to medical practices.  He can be contacted at artg@hipaasecurenow.com.