The Doctor’s Advocate | Third Quarter 2016
Craig Musgrave, Senior Vice President, Information Technology
The bar has been raised on HIPAA and ransomware attacks.
Under its recently released guidance, the Department of Health and Human Services (HHS) now presumes that a ransomware attack compromises electronic protected health information (ePHI)—unless the HIPAA-covered entity can prove otherwise.1
Prior to this new guideline, if you determined on your own that there was no breach, no action was needed on your part. HHS would have to prove that the ransomware attack had compromised ePHI.
But now that burden of proof has changed—it’s now your responsibility to prove that data was not compromised, including patient records, credit card data, and employee records. If you have a breach, or can’t prove that you did not, you must complete the HIPAA notification procedures and may face fines. You may also be fined if it’s shown that your practice was not HIPAA compliant before the attack.
Large healthcare systems and hospitals with sophisticated technology systems may have an easier time meeting this burden of proof. Firewalls can track the traffic of the cyber criminals and record what data they had access to, how long they spent in the system, and what data they extracted. Small practices without sophisticated systems or firewalls may have to hire a forensic computer firm in order to prove that a breach of their systems did not occur.
Ransomware remains a major threat for practices and hospitals—not only do over 50 percent of all cyber attacks occur in healthcare, but there have also been 4,000 daily ransomware attacks since early 2016, which is a 300 percent increase over the 1,000 daily attacks in 2015.2 Ransomware attacks exploit technical and human weakness to gain access to a healthcare organization’s system and deny the organization access to its own data.
Encryption used to be the standard method to prevent breaches and protect your practice, but that has also now changed. Encryption does not stop ransomware attacks—if a cyber criminal gets access to your system, encryption will not stop the attack. In addition, encryption is no longer sufficient to prove that a breach has not occurred during a ransomware attack. While encryption of all laptops, desktop computers, and mobile devices remains important to overall security, practices and hospitals also now need to take additional steps:
The Doctor’s Advocate is published by The Doctors Company to advise and inform its members about loss prevention and insurance issues.
The guidelines suggested in this newsletter are not rules, do not constitute legal advice, and do not ensure a successful outcome. They attempt to define principles of practice for providing appropriate care. The principles are not inclusive of all proper methods of care nor exclusive of other methods reasonably directed at obtaining the same results.
The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.
The Doctor’s Advocate is published quarterly by Corporate Communications, The Doctors Company. Letters and articles, to be edited and published at the editor’s discretion, are welcome. The views expressed are those of the letter writer and do not necessarily reflect the opinion or official policy of The Doctors Company. Please sign your letters, and address them to the editor.
Third Quarter 2016
The Perils of Printing an Electronic Health Record
An Ounce of Prevention
Internal Medicine Closed Claims: What Can We Learn?
Government Relations Report
Judicial Review of Medical Liability Legislation
Ransomware Attacks: HIPAA Burden Falls to the Hospital or Medical Practice
The Foundation News
2016 Young Physicians Patient Safety Awards Announced
The Back Page
Industry and Company News