Attacks on healthcare organizations are increasing. From ransomware to phishing, a HIPAA breach can have massive implications for your patients and your practice. Having a proper incident response plan in place will help you if that day does come. An incident response plan is a guideline of the things you need to do in the event you have a HIPAA breach. A full incident response plan is beyond the scope of this article but here are the 5 questions you should ask in the event of a breach event. For the purposes of this article, we will consider the breach to be of an electronic nature, involving computers, rather than a breach by staff or a Business Associate.
1. How do you contain the attack and prevent it from spreading?
The first thing to figure out how do you stop the breach from getting worse. Preventing that is your highest priority. If it limited to one computer, can you safely remove that computer from the network? What can you do to stop the infection from spreading? Make sure you have a backup of your data that is completely removed from the network. Ransomware can also attack backup devices and encrypt that data as well.
Are the attackers still in your network?
2. How far did this breach go? What all was accessed?
How many machines or devices were affected? Has it moved to your backup systems? Has it left your network and attacked others? What data was impacted? Were patient records, documents, email, or other types of data attacked? Was any data copied or stolen? This will be harder to know if you don’t have access controls or a proper firewall set up. But if the data was stolen, then you will have a much larger incident to be concerned with.
It is critical to know what type of data was accessed and if the data was stolen.
3. Is this a HIPAA violation?
As you begin to gather more information on the breach, you can assess whether or not patient records were involved. Were records accessed or stolen? If ransomware encrypted PHI, then this means the data was improperly accessed and this would be a HIPAA breach. How many patient records were accessed by the breach? If it is less than 499, you have a bit more time. If it 500 or more records, your clock is ticking. You must report the breach to HHS within 60 days of the day you discovered the breach. Don’t get creative with this date. It’s not the date after you resolved everything concerning the breach. It is 60 days from the day you first knew of the breach. This is part of the Breach Notification Rule. Also, you will need to contact all of the patients involved if their records were accessed.
4. Who was impacted or affected?
Was this limited to office staff or has it spread to patients? Did the breach go beyond your network and into your Business Associates or even other Covered Entities? Often attackers use one compromised network to attack another. Especially since many networks may be interconnected now, an attack can easily spread to others.
5. How do you close the holes and prevent this attack from happening again?
Now that you have stopped the attack and cleaned things up, you need to know how it happened. Was it a result of ransomware? If so, you will need to reassess your anti-malware protection and your patch management. If it was a result of a phishing attack, you will want to address staff training and also email protection. If the attack occurred because you don’t have any protection in place, its time to do a Risk Assessment and start your HIPAA compliance. Because when HHS OCR arrives for your audit, you will want to show them that at least now, you are trying to be compliant.
A HIPAA breach is nothing to ignore or sweep under the rug. These days, we are all interconnected more than ever. If one patient were to become aware, then it won’t take long before everyone is. If you have a breach that is not reported to HHS, then you can expect them to bring the hammer when they do find out.
Begin to build your own incident response plan for your practice. It is almost an inevitability that a breach of some kind will occur in your practice. It’s best to be ready for it.