Due to their high vulnerability level, healthcare providers are frequent targets for ransomware attacks. Lives depend on hospitals and healthcare personnel being able to access vital patient data whenever it is needed. As such, hackers have targeted hospitals and healthcare providers, costing these organizations thousands.
Ransomware operates by locking down systems—such as computer hardware, files, or even central servers—and demanding payment to unlock those systems. In essence, it holds the hospital’s systems or data hostage until the ransom is paid. Typically, hospitals have found that the best course of action has been to pay the ransom in order to regain access to critical data as quickly as possible. Even though ransoms have been relatively low, significant damage has been done to the victim institutions in the form of lost productivity, diminished reputation, and IT expenditures to repair the damage.
Hospitals face another risk in the form of the fines associated with failures to comply with federal privacy laws. HIPAA rules dictate that patient data must be kept private from those who are unauthorized to access it. At the same time, they law also requires that this data must be furnished to patients upon request. Ransomware interferes with both of these in that it can access patient records while also preventing authorized personnel from retrieving these records as needed.
A ransomware attack is deemed by the US Department of Health and Human Services’ Office for Civil Rights to be a HIPPA “security incident,” which requires the attacked institution to perform a multi-step risk assessment. Depending on the outcome of the assessment, the institution targeted by ransomware may also be subject to penalties for HIPPA violations. If your medical practice or hospital has been hit by ransomware, experienced health law attorneys can assist you with the risk assessment process and any additional steps that must be taken to achieve compliance.
Protecting Patient and Hospital Data
Under the law, hospitals must do whatever is deemed reasonable to fend off these threats. To protect themselves and their patients, healthcare providers must put various ironclad protections in place, including:
- Strict protocols restricting access to servers and patient data,
- Thorough training of personnel regarding security protocols, and
- Secure data backup and recovery plans and procedures.
Experienced healthcare law attorneys can help you ensure that you are fully compliant with federal and state privacy regulations.