Home Health & Hospice Week

How often are you training your staff on HIPAA?

A recent case where a hospital paid hackers to get back control of their electronic medical records has left many healthcare organizations feeling vulnerable and somewhat helpless. Fortunately, there are actions you can take to prevent and mitigate such an attack on your PHI.

First: “Always defer to the recommendations of law enforcement and security experts when it comes to paying a ransom, so long as you consider what is best for the patients,” advises HIPAA expert Jim Sheldon-Dean of Lewis Creek Systems in Charlotte, Vt. “You need to do whatever is necessary to have essential information available, and that can certainly mean paying the ransom. Every situation is different, but it will come down to a decision about what is best for both the patients and the institution.”

Here’s what else experts advise that you do:

1. Back up your data regularly. Have good, regularly tested backups of your data that are separated from your networks and protected from alteration. “If your data gets locked up, you have something to work from and can perhaps avoid paying the ransom,” Sheldon-Dean says. “If you don’t, you don’t really have a chance.”

2. Have a contingency plan. “Be prepared to shut down your systems and networks and still provide care,” Sheldon-Dean advises. Plan for how you will communicate and maintain records, and practice your paper-based methods regularly. Develop your plans and practice drills using these methods.

3. Arm yourself with good training and hygiene. “Education is low-hanging fruit — once a year is not enough to train your people,” stresses Larry Whiteside Jr. of Denver-based cybersecurity solutions firm Optiv. Healthcare organizations “must emphasize cybersecurity education” for their employees to ensure that they understand how best to mitigate risks.

4. Focus on endpoint devices. When it comes to ransomware viruses, “organizations have to work on security on their endpoint devices (smart phones or tablets),” Whiteside advises. These devices are more prone to cyberattacks now than ever before — plus, the use of mobile devices is more prevalent and they have more access to data because they’re interconnected.

5. Enlist information security experts. “If you’re attacked, get the best information security experts you can afford to see if there is a way out and to keep from damaging any evidence you may need to preserve,” Sheldon-Dean recommends.

6. Contact law enforcement. “If there has been an intrusion, you should call your state police’s cybersecurity task force, or its equivalent, to get law enforcement involved,” Sheldon-Dean says. “Don’t be rash, and don’t publicly state there is a threat or not until you actually know.”

7. Make your decision carefully. Whether to pay a ransom is a “business-based risk decision,” according to Whiteside. If patients’ lives are not at risk, you might choose not to pay the ransom — and even if you do pay the ransom, “there is no guarantee that you will get access to your data back.”