Healthcare Ransomware: There Isn't Always a Breach
By: Dr. Jeff Brown | updated on
Please stay rational when listening to HIPAA experts talk about healthcare ransomware. Specifically, let's look at how your being lead to believe that every ransomware attack results in a data breach.
The fear-based expert (usually selling a product) will truthfully tell you ransomware attacks are a huge problem in healthcare, which is true. But then you'll start getting misinformation, such as:
- Being affected by ransomware is a HIPAA violation
- Patient information is breached
- You'll pay a $50K HIPAA fine
- You'll pay credit monitoring costs for affected individuals
While the above story is very motivating, it is also flawed and does a huge disservice to both you and the HIPAA law. Why? Because you now falsely believe HIPAA is super rigid and will find guilt at the drop of a hat.
Let's now put on a rational hat and look at what is really going on with healthcare ransomware.
The intent of ransomware is not to steal your data, it's intended to "lock" (encrypt) your computer so you can't access the data yourself. You'll then be asked to pay a reasonable fee—few hundred to a couple thousand dollars—to get access restored. In most cases, your data is never exposed to the attacker or the public; therefore, there is no breach to report and no HIPAA fines to pay!
And, just because you are attacked by ransomware does not automatically mean you have violated HIPAA. Bad stuff happens all the time and HIPAA completely understands. Anyone, at any time, can get a computer virus, have a computer stolen, lose a device, etc.. You only "violate" HIPAA when you don't have a legitimate HIPAA compliance program in place to prevent a breach and/or you experience a breach and you don't respond appropriately.
Now you know the truth.
Note: If you do experience a healthcare ransomware attack, have an IT professional evaluate the situation to determine if patient data is accessible to the attacker. If the data is only locked (not accessible) then you can completely wipe your computer(s), reinstall software, and repopulate data from your most recent backup. This is precisely why the HIPAA requires that you have a data backup procedure. Thanks, HIPAA!
If restoring access to data is extremely time sensitive, then you might decide to pay the ransom. Be aware, however, not all attackers will provide access even after paying.
Until recently, the FBI recommended never paying ransom because theoretically ransomware would disappear if the crime didn't pay. However, the FBI doesn't run a for-profit business or face going bankrupt if they lose access to data. Therefore, you'll need to decide for yourself the best course of action based on the situation.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice.