MSMS logo, to home page

Are You Ready? Ransomware and Cybersecurity Advice from Professionals

News & Media

Are You Ready? Ransomware and Cybersecurity Advice from Professionals

With the number of cybersecurity events on the rise, are you ready is something happens in your practice? Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. It is crucial to have a plan in place to prepare and protect yourself if an event happens to you. Here is some advice from practicing cybersecurity professionals to get you started.

  1. Document, Document, Document
    1. Keep records of when your system became unavailable, what services were restored and when. A timeline is the most effective but needs supporting evidence.
    2. Make a list of impacted business processes. If you are not able to print appointment schedules put this in the list.
    3. Track any lost revenue or extra costs involved in the attack.
  2. Consult with Legal Counsel
    1. Your software contract may have specific provisions related to system availability.
    2. If your legal counsel is not able to respond to your request they may suggest a firm that specializes in software and electronic health records.
  3. Prepare a Written Statement for your Patients
    1. Patients are concerned about their health records.
    2. A factual statement and/or one page written information response approved by your practice management and legal counsel will ensure that all employees respond in the same way when asked about the issue. Consider reviewing or updating the statement each day based on changes. Example: If electronic prescriptions are not available provide instructions on how patients can obtain a paper prescription. Change the notice when electronic prescription functionality is available again. Here is a statement that one hospital released about ransomware: https://www.hancockregionalhospital.org/2018/01/cyber-attack-pov-ceo/
  4. Share Information Appropriately
    1. Sharing documentation with patient names or other protected health information (PHI) may cause a breach. A list of 7 patients with appointments impacted because of the ransomware cannot be openly shared because it contains PHI.
    2. Participate in update calls from vendors - verify information obtained from the call in writing if possible.
    3. Notify your IT Support. HHS has a Fact Sheet on ransom ware available at this link: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
  5. Report to the appropriate agencies
    1. Ransomware is a crime, work with your law enforcement organization
    2. Vendors are responsible for notifying you of any Information Security Incidents -- wait for the notification from them before starting any reporting processes.
    3. Other agencies may need to be notified based on your specialty and or factors related to your practice.
    4. Consult with your insurance carrier to see if you have cyber liability benefits as a part of your policy.
  6. Evaluate your Security Incident Response Plan
    1. HIPAA Security Incident Procedures standard at ยง 164.308(a)(6)(i) requires a covered entity to implement policies and procedures to address security incidents.
    2. Review and document your response to this security incident -- what went well? Where can you improve? Did you coordinate with law enforcement partners, other agencies, or other healthcare partners?
    3. Ensure documentation of your annual requirement to conduct a mock response or drill of your security incident plan is current and available if needed for a follow-up investigation.