Healthcare Ransomware: There Isn't Always a Breach
Please stay rational when listening to HIPAA experts talk about healthcare ransomware. Specifically, let's look at how your being lead to believe that every ransomware attack results in a data breach.
The fear-based expert (usually selling a product) will truthfully tell you ransomware attacks are a huge problem in healthcare, which is true. But then you'll start getting misinformation, such as:
- Being affected by ransomware is a HIPAA violation
- Patient information is breached
- You'll pay a $50K HIPAA fine
- You'll pay credit monitoring costs for affected individuals
While the above story is very motivating, it is also flawed and does a huge disservice to both you and the HIPAA law. Why? Because you now falsely believe HIPAA is super rigid and will find guilt at the drop of a hat.
Let's now put on a rational hat and look at what is really going on with healthcare ransomware.
The intent of ransomware is not to steal your data, it's intended to "lock" (encrypt) your computer so you can't access the data yourself. You'll then be asked to pay a reasonable fee—few hundred to a couple thousand dollars—to get access restored. In most cases, your data is never exposed to the attacker or the public; therefore, there is no breach to report and no HIPAA fines to pay!
And, just because you are attacked by ransomware does not automatically mean you have violated HIPAA. Bad stuff happens all the time and HIPAA completely understands. Anyone, at any time, can get a computer virus, have a computer stolen, lose a device, etc.. You only "violate" HIPAA when you don't have a legitimate HIPAA compliance program in place to prevent a breach and/or you experience a breach and you don't respond appropriately.
Now you know the truth.
Note: If you do experience a healthcare ransomware attack, have an IT professional evaluate the situation to determine if patient data is accessible to the attacker. If the data is only locked (no breach) then you can completely wipe your computer(s), reinstall software, and repopulate data from your most recent backup. This is precisely why the HIPAA requires that you have a data backup procedure. Thanks, HIPAA!
If restoring access to data is extremely time sensitive, then you may decide to pay the attacker's fee to get access quicker. Be aware, however, not all attackers will provide access even after paying the fee.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.