Ransomware: The Lesser Told Story
by Dr. Jeff Brown
Please stay rational when listening to HIPAA experts using fear-based tactics. For example, let's look at how RANSOMWARE can be misrepresented.
The fear-based seller will truthfully tell you ransomware attacks are a huge problem in healthcare (great info because it true). Then you'll get scary misinformation, such as:
- Being infected is a HIPAA violation
- Patient information is breached
- You'll pay $50K HIPAA fine plus credit monitoring
While the above story is very motivating, it is also flawed and does a huge disservice to both you and the HIPAA law (because you now falsely believe HIPAA is super rigid and finds guilt at the drop of a hat).
Let's now put on a rational hat and look at what is really going on with ransomware.
Ransomware is NOT intended to steal your data, it's intended to "lock" (encrypt) your computer so you can't access the data yourself. You'll then be asked to pay a reasonable fee, few hundred to a couple thousand dollars, to get access restored. In most cases, your data is never exposed to the attacker or the public; therefore, there is NO breach to report and NO fines to pay!
And, just because you are attacked by ransomware does NOT automatically mean you have violated HIPAA. Bad stuff happens all the time and HIPAA completely agrees. Anyone, at any time, can get a computer virus, have a computer stolen, lose a device, etc.. You only "violate" HIPAA when you don't have a legitimate HIPAA compliance program in place and/or you experience a breach AND you don't respond appropriately.
Now you know the truth.
Note: If you do experience a ransomware attack, have an IT professional evaluate the situation to determine if patient data is accessible to the attacker (unlikely). If the data is just locked (no breach) then you can completely wipe your computer(s), reinstall software, and repopulate data from your most recent backup. This is precisely why HIPAA requires you to have a backup. Thanks, HIPAA!
If restoring access to data is extremely time sensitive, then you may decide to pay the attacker's fee to get access quicker. Be aware, however, not all attackers will provide access even after paying the fee.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.