ONE OF the top cyber security risks to today’s optometric office is malicious software, or malware. “Ransomware” is a kind of malware that encrypts — or locks — your data and demands money in exchange for a de-encryption key. (You’ve likely heard news reports, like this one from NPR, n.pr/2hkp9Yl , about malware demanding hundreds of thousands of dollars from universities and hospitals, such as the hospitals in England’s National Health Service earlier this year.)
If your firewall isn’t sophisticated enough to block the newest forms of malware, merely opening a malicious email attachment on a company computer will trigger the ransomware process, taking less than a day for your computer screen to reveal a ransom message.
Your ransom message will tell you how long you have, often 72 hours, to electronically transmit Bitcoin, a virtual currency, to the criminal with an expectation — not a guarantee — of receiving the de-encryption key.
An additional timeline of 60 days also kicks in at the time of a breach caused by ransomware via Department of Health and Human Services (HHS) protocol. The required reporting can then open the practice to a Health Insurance Portability and Accountability Act (HIPAA) audit, which can have its own financial implications.
As soon as the clock starts ticking, follow these steps to mitigate damage to your system, gather information for a possible audit, follow government protocols and rebuild a stronger system for the future. [Of note: Each practice will have unique challenges; it is recommended to work with a seasoned information technology (IT) professional to navigate the process.]
After taking a quick picture of the message, immediately disconnect your server, and contact your IT professional.
Your decision to pay for the de-encryption key rests in the state of your computer back-up systems. You may feel comfortable simply restoring the last back up and losing any data in the gap. The average ransom for 2016 was $679, according to Symantec, a technology security company. Many find this an acceptable price to pay for one or two days’ worth of data.
In addition, control the narrative among your employees. When an employee turns on his or her computer and sees an alarming ransom message, interpretation may differ from reality. It would be wise for a manager or practice owner to personally speak to every employee and explain the situation. It is not in the best interest of the office for patients to hear from staff, “our computers were hacked” when explaining why the doctor’s schedule can’t be accessed today.
Ensure Pre-Breach Requirements
HIPAA requires you to turn in some items that an investigator would expect to be dated prior to the breach. Your ISP Handbook, which should have procedures on responding to a data breach (see 45 C.F.R. 164.308(a)(6-7), should include logs of all of the following: (See also, “Computer Security Incident Handling Guide” at http://bit.ly/2hkwk2s .)
- Proof of regular employee training on HIPAA compliance separately and in addition to IT security. In particular, employees should receive training to detect and report malware. To prove this, retain a description of covered topics (copies of PowerPoint presentations and formal handouts on both HIPAA security and IT security are adequate), and collect signatures, with the date, from employees in attendance.
- Records of updates. Your IT and management team should regularly update dated logs for events like software updates, installation of a firewall, a new IT vendor or the addition of a superuser, an account with widespread access, to the network.
- Annual security risk analysis reports. Offices should have a confidentiality/security team of two to four employees/IT professionals who conduct a security risk analysis at least annually; the results of these audits should be saved in a secure place.
Complete an incident report, which should be a component of your HHS-mandated Information Security Policy (ISP) Handbook. This one- to two-page document will include all relevant details of the attack, such as time, source and ransom message.
Your IT professional may be most qualified to complete this report. He or she may need to contact your EHR vendor to confirm whether HIPAA-compliant encryption was enabled. (See “Fact Sheet: Ransomware and HIPAA” from HHS at http://bit.ly/2hkoxBI .) Begin enacting the response procedures detailed in your contingency plan, also a component of your ISP.
Finally, begin composing a dated list describing every step taken in response to the incident. Content is more important than the formatting, but it’s helpful to keep things in chronological order. Update this document frequently, even daily, as it will be valuable when preparing for the audit.
PROBE FOR HIPAA VIOLATION
A breach occurs when the provider loses control over Protected Health Information (PHI), according to HIPAA guidelines. Even if your firewall shows no outgoing packets of information during the course of the security violation, loss of control does occur. In that way, ransomware triggers a HIPAA violation.
It is challenging for a practice to prove “low probability that the PHI has been compromised” (45 C.F.R. 164.402(2)). However, your IT professional can find tips on this process via the “Fact Sheet” mentioned previously, at http://bit.ly/2f2ji97 . You will need to submit adequate documentation (burden of proof) when the investigator first contacts you; even then, an investigation may be required.
NOTIFY LAW ENFORCEMENT
While it doesn’t hurt to call your local precinct and file a report (making note of the case number for the audit records), eventually the FBI must be alerted, as this is a cybercrime. Visit the website www.ic3.gov to complete this report, and keep your IT professional handy if you need help answering any questions. Law enforcement may require the practice to delay in proceeding, so make contact with the FBI early in the process.
FOLLOW HHS PROTOCOL
HHS requires several actions be taken in the 60 days following discovery of the breach. The details are spelled out in HIPAA rule section 164.404. Take care to ensure you document all steps with proof of dates.
- Establish an 800 number for patients to call for more information. It is fairly easy to rent this service for a set number of months, record a voicemail and regularly check messages for follow up. Examples of companies offering this service are FreedomVoice, Grasshopper and RingCentral.
- Offer free credit monitoring to any patient who requests it. The large credit clearing houses (for example, Experian) offer this service to businesses that have had a breach. Save and document any requests, as the investigator may request this information. As the toll-free number and credit monitoring can take a few days to establish, make them the first priority.
- Inform affected patients, via mail. A postcard or letter must be mailed, one time, to all affected patients; it must include a description of the incident and the 800 number. Consult the HHS website to ensure all relevant details are included in your message. Retain proof of shipment, which should also show the quantity of pieces sent. All undeliverable mail should be retained and counted.
- Publish a notice. Alert your local media outlet (a newspaper or news station) of the breach. Publish a one-day notice that provides the same information as on the mailed postcard or letter.
- Post an alert on your practice’s website landing page. Again, list the 800 number. This notice must remain for 90 days. Use your computer’s screen capture feature to record proof of the 90-day term.
- Conduct additional staff training on both HIPAA security and IT security, taking care to collect signatures, with dates. A post-breach security risk analysis is also called for. (See “Ensure Pre-Breach Requirements” on p.29.)
- Access hhs.gov/hipaa , and complete a report describing the breach to the Office for Civil Rights (OCR). This is the government entity in charge of enforcing HIPAA. At this time, you should still be within the 60-day period.
Upon receiving your report, a representative will contact you to begin the investigation process. The exact documentation required can vary based on your regional office; you may be given only a few weeks to prepare your files. HHS prefers receiving electronic records, so your investigator may suggest you encrypt a flash drive, then physically mail the drive to the investigator, and email the passcode.
REBUILD YOUR SYSTEM
A formal risk assessment should be conducted by your privacy officer and/or security team. This should follow your “contingency plan” and the “data backup plan and procedures” section of the ISP Handbook. Each of these sections of the handbook must include two sub-sections: one if the breach occurs for fewer than 500 patients and another for more than 500 patients. Most optometry practices will be in the latter category.
Your IT team will make recommendations as to how to rebuild your domain and network. You may elect to upgrade your firewalls, improve back-up systems, and move email services to a company that has better filtering. Carefully record all details and dates, and save receipts. Your investigator will want an account of how the virus was able to penetrate and what the office added or changed to enhance protection.
The take-away from the whole ordeal is the importance of two components: (1) a quality firewall that is updated constantly, to guard against the newest viruses and (2) a back-up system, offline and protected from other networks.
FOLLOW-UP ON REPORT
Depending on your region of the country, you may experience an initial delay lasting months. Once processed, your investigator will often require you to submit more documentation and give deadlines of 10 to 14 days. If you follow OCR and HHS guidelines, you should successfully pass your audit.
A FINAL WORD
HHS is scrambling to establish policy in the wake of new security threats. Consult the HHS website following a malware attack, as rules and guidelines constantly evolve. For guidance, call (800) 368-1019, or email OCRPrivacy@hhs.gov. OM