Ransomware Attack Strikes Mental Health Provider
Another ransomware attack has been making headlines this week–this time, the attack targeted a mental health care provider.
The Minnesota-based Associates in Psychiatry and Psychology announced that it was targeted by a strain of ransomware on March 31 of 2018.
Ransomware attacks are a growing threat to health care providers because of the significant value that health care data sells for on the darkweb. The way a ransomware attack works is through a concentrated malware attack. The ransomware infects a given computer or network and encrypts the data stored within these systems. The hackers then contact the owners of the data and provide an ultimatum: pay a ransom fee by a certain date, or access to the data will be permanently barred.
Waves of ransomware over the past few years have gotten so bad, that the FBI has even released guidance on how to properly deal with an attack when your practice is affected.
Even though data is sometimes able to be retrieved by restoring from an off-site back up, Associates in Psychiatry and Psychology were not so lucky–Information Security Media Group reports that a spokeswoman from the organization confirmed that in the end, the ransom was paid to the hackers.
Growing Threats to Health Care Data
Because health care data is so valuable to hackers, the threat that behavioral health professionals face is at an all-time high. And to make matters worse, the headache may not end once the ransom has been paid.
Health care data is considered protected health information (PHI) under HIPAA regulation. HIPAA defines PHI as any of 18 identifiers that can be used to identify a patient. Common examples include names, dates of birth, Social Security numbers, health care records, or addresses. In the event that PHI is breached, the practice that has been targeted must report the incident to the Department of Health and Human Services (HHS). From there, the Office of Civil Rights (OCR) may choose to launch an investigation into the breach. If a HIPAA violation is uncovered over the course of OCR’s investigation, that could mean civil monetary penalties, HIPAA fines, and even jail time for the practitioners responsible.
The best way to protect against ransomware is through off-site back-up for all data, full-disc encryption, and HIPAA compliance. By implementing a HIPAA compliance program with HIPAA self-assessments in tandem with these security measures, behavioral health professionals can ensure that patient data is kept safe, and mitigate the impact of HIPAA violations should they occur.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.