Page 31 - Layout 1
P. 31
BUSINESS
He reviewed a number of corrective action plans mandated by the tected health information.”
Office for Civil Rights, whose post-breach review will begin by ex- First, he advises, disconnect: have your IT
amining the practice’s most recent risk assessment, IT logs and per-
sonnel policy and procedure guide training records. “One company disconnect your network from the In-
unencrypted laptop left unattended in a car,” said Robertson, “has ternet, the more quickly, the better.
brought down whole enterprises.”
Investigate and document the incident imme-
Tips to Staying Safe in Your Own Data diately. Make sure IT staff accurately document
Crucial to successful responses in both cases was a close relation- their findings in an incident report that should
be signed and dated. Screenshots or photo-
ship with their IT managed services provider. Making sure your graphs taken by cell phones will help document
practice’s MSP is aware of and responsible for all of HIPAA’s Secu- evidence. Treat everything as though it was a
rity Rule mandates, particularly regarding anti-malware updates, soft- crime scene … it is.
ware patches and monitoring IT assurance should be part of its
business associate agreement. If possible, have the MSP maintain the infected
IT system in a digital sandbox, neither shutting it
GCS’s Joe Gleinser says he is asked for the best advice to those off nor wiping it clean. By wiping the malware
new to the business: “First, recognize the magnitude of the risk and from your system, you are likely destroying the
build a multi-layered shield. Unfortunately, I don’t see ransomware evidence that proves the ransomware did not ex-
taken seriously at the Executive Level, but perhaps that might change filtrate data to cyber criminals
as more stories get told.” Determine the scope of the incident by identifying and docu-
menting which networks, systems, or applications were affected;
Staff training of new security threats and email policies is vital to the name of the virus or malware; and the origin of the incident
an enhanced immune system. Says Gleinser, “We’ve responded to or vulnerability that caused it. Staff should document information
more than eighty-five ransomware attacks since January 2016. Al- related to the attack in separate incident reports that are signed
most every case has been caused by a phishing attack through email.” and dated.
You also should consider whether a forensic investigation of your
Unfortunately, despite strong immune systems, viruses still find a computers and servers would be appropriate.
path to infect otherwise healthy systems. An incident response plan Besides your IT manager, there are two other names at the top of
is needed to deal with a chaotic and calamitous situation. Adrian P. your disaster-recovery call sheet: contact your medical professional
Senyszyn, JD, who serves as attorney for ABCD Pediatrics, and is
an expert on cyber incidents, speaks to the need to preserve evidence. THE LAW:
“You need to help prove the low probability of compromise to pro-
Ransomware is a HIPAA reportable incident,
regardless of whether PHI was removed from
the system.
The Office for Civil Rights (OCR) of Health
and Human Services (HHS) has made it clear:
with 4,000 daily attacks, it is a serious threat
that exploits “human and technical weak-
nesses” and “The presence of ransomware
(or any malware) on a covered entity’s or
business associate’s computer systems is a
security incident under the HIPAA Security
Rule.” (FACT SHEET: Ransomware and HIPAA
- HHS.gov)
continued on page 32
visit us at www.bcms.org 31
