Patients’ chances of recovery following surgery depends, at least in part, on their condition going into the procedure. The same is true of recovery from a cyberattack or data breach at a medical office.
Once you suspect or detect a breach, time is of the essence, says Chuck Kesler, chief information security officer for Duke Health. “The longer it takes to engage resources, the worse the problem can get.” Having a detailed recovery plan—readily available on paper, not a computer—can help practices minimize damage to data and interruptions to patient care. The plan should include initial steps as well as contact information for qualified service providers who can guide the recovery process.
Practices affiliated with a hospital or health system often have the advantage of a central information technology (IT) department with established policies and procedures for protecting data and responding to a suspected threat. Individual practices may not have the same capabilities, Kesler says, which can lead to trouble. The key to minimizing the effects of an attack or breach is preparation.
According to David Holtzman, vice president of compliance strategies at CynergisTek, much of the available literature on cybersecurity in health care is aimed at large organizations with dedicated IT departments. In many ways, he says, small, independent office-based practices are more like small businesses than large health systems. He refers these practices to a series of reports and toolkits for small businesses developed by the Federal Trade Commission that detail protecting your network, choosing and monitoring vendors, and responding to a data breach.
Although medical malpractice policies often include a small amount of coverage for cyber attacks, practices might want to consider additional coverage either through a “buy up” option that extends coverage or a separate standalone policy, says Beth Berger, managing director for health care practice for Arthur J. Gallagher & Co., an insurance broker.
The benefits of insurance start before an incident even occurs, Berger explains. Most carriers offer resources to help prepare and protect the practice, and some have arrangements with preferred vendors and legal representation. Taking advantage of these services early on can help ensure that providers follow best practices to minimize damage in the event of an attack. State health information exchanges or medical associations may also have resources for practices.
Training is also essential in the preparation process. Berger points out that employee error is a major cause of data breaches and cyberattacks. Someone may accidentally click on a suspicious link, forget to encrypt data, or bring work home on a laptop or USB drive that ends up getting lost or stolen. Staff training should include strategies for avoiding data breaches and detecting possible signs of a breach. Berger adds that the Health Insurance Portability and Accountability Act requires annual training, so not providing it can be a violation.
Recognizing an Attack
Sometimes the signs of a data breach are obvious: the “blue screen of death” or a ransomware message that pops up on the monitor. Other signs are subtler: Maybe the practice’s network is running unusually slowly or a PC that is usually idle overnight is warm in the morning. Firewall or virus detection software may notify users of a potential threat.
News of data breaches at nearby practices or those in the same data exchange can also signify a possible breach, says Zuly Gonzalez, CEO and co-founder of Light Point Security, a data security firm based in Baltimore, MD.
Identifying the Cause and Restoring Data
Once an attack is detected, the first step is to disconnect the information system (the server containing sensitive data) from the internet. The next step is to reach out to experts to help investigate the cause. Knowing the nature of the breach can help prevent mistakes in the recovery process and protect the practice from future attacks. Berger notes that if the investigation is conducted by a law firm, the findings normally fall under privileged information, which may be important in case of legal action.
Victims of ransomware must weigh the risks of paying the fee and attempting to retrieve the data versus restoring a backup that may be missing some data. Insurance coverage, legal advice, and technology considerations should play a role in that decision. But restoring data after a ransomware attack is risky; hackers may leave malware or other viruses in the data that continue to infect your system and compromise patient information.
Complying with Reporting Requirements
Legal counsel can help practices with the notification process as well as state and federal reporting requirements. According to Berger, practices must comply with state laws for any state where affected patients reside. In addition, practices must notify the U.S. Department of Health and Human Services of any breach but must do so within 60 days in cases involving more than 500 affected patients. Some states, such as Florida, have even shorter windows. Even if patient data were not affected, an interruption to patient care may need to be reported.
Communicating with patients can get tricky, especially before there is a clear understanding of what happened. Practices “need to be upfront and clearly communicate what has occurred,” says Kesler, “but not before you understand what the problem is.”
The last step in the process is to revisit policies and procedures to determine whether changes are needed to provide maximum protection and adhere to federal and state laws—in effect, starting the recovery process in the event of another attack.
Check out recent practice management articles: