Healthcare cybersecurity incidents have been making headlines with more and more frequency over the past year. Telebehavioral health professionals whose practice is mainly digitally-based are particularly at risk of cybersecurity and ransomware incidents.
Ransomware is a type of malicious software like a virus that infects a healthcare organization’s computer network or servers. The data stored on the network is then encrypted by a hacker from a remote location, who blocks you from accessing your data. Without the proper decryption key, the data remains encrypted. Hackers demand a ransom for restored access to your data. If the ransom is not paid by a certain date and time, the hacker often sells the data on the black market, exposing your behavioral health practice to HIPAA violations.
The federal government has released guidance on how healthcare cybersecurity incidents and ransomware attacks should be handled. But even if the incident is handled properly, that doesn’t mean your practice won’t be hit with a HIPAA investigation and fine.
Below, we discuss how behavioral health practices can mitigate the effects of a ransomware incident with a robust HIPAA compliance program that satisfies the law, while protecting your practice.
HIPAA and Ransomware
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released specific guidance on how healthcare cybersecurity incidents should be handled. These guidelines coincide with HIPAA regulatory requirements for all healthcare professionals, which means that one of the best defenses your practice can put in place to defend against ransomware is an effective HIPAA compliance program.
The following are the most important things your practice can do to defend against ransomware incidents:
- Employee training is mandated by HIPAA, and ensures that staff is kept up-to-date on the most recent healthcare cybersecurity threats. Often, ransomware is downloaded via email attachment or a fake system update. Unwitting staff members can accidentally download the ransomware program onto their systems, which can lead to a full attack.
- Off-site data back-up is also recommended by HIPAA. Off-site back-up gives your practice a second chance to restore access to data that’s been encrypted by a malicious strain of ransomware, so that your practice can get up and running even after an incident.
- Full-disc encryption is also recommended for HIPAA compliance. Combined with off-site back-up, encrypted data will be kept safe even if it’s been affected by ransomware. This prevents hackers from accessing your data, and leaves your practice free of a HIPAA violation in the event of a cybersecurity attack.