In the final segment of this 6-part series, Dr Lorne Lavine discusses what dentists must have in place to deal with the aftermath of a ransomware attack.
This is the final segment of a 6-part series on cybersecurity and HIPAA. The previous articles explored defending against ransomware and other malware, such as preventing infections through use of firewalls; enlisting antiransomware software and application whitelisting; and bouncing back from a ransomware attack with a solid backup and disaster recovery system.
The last piece of the puzzle involves having systems in place to deal with the aftermath of a ransomware attack. This typically requires 2 steps: addressing HIPAA laws and ensuring adequate insurance coverage.
A ransomware infection is actually considered a HIPAA breach. Most of us don’t think of breaches in those terms; rather, breaches are thought to include cases such as a hacked network or a lost or stolen unencrypted mobile device. In 2016, however, the US Department of Health and Human Services (HHS) determined that unless there is a low probability that patient information was compromised, a ransomware infection is a HIPAA breach. That’s because HHS defines a breach as “loss of control of your data,” which is exactly what a ransomware virus leads to: It locks files and makes them inaccessible. Many HIPAA regulations can be somewhat ambiguous and open to interpretation, but not the Breach Notification Rule: If you experience a breach, you must, by law, notify HHS, the local news media, and all your patients, in writing. It won’t be pretty.
What constitutes a low probability of compromise? HHS has 4 criteria: the nature and extent of the patient information, knowing the person who created the ransomware attack, knowing whether the patient information was ever viewed, and the extent to which the risk has been mitigated. Almost every dental office would fail on 3 of those 4 criteria, meaning a breach must be declared.
For the reasons above, I highly recommend that all practices consider some type of insurance policy. Although a breach policy is a good start, a more comprehensive cyber liability insurance policy would be best. After reporting a breach, the victim faces numerous consequences: hiring of attorneys, incurring legal fees, paying fines and penalties, providing credit monitoring for affected patients…the list goes on. I recommend a policy with at least $250,000 of coverage; depending on the practice’s size, $500,000 may be more appropriate.
The cost of cyber liability insurance has increased dramatically in 2021. With all the dental offices hit with ransomware in 2019 (well-documented cases in Wisconsin and Colorado come to mind) and the increased incidence of attacks in 2020 due to COVID-19 restrictions, the policies are not as dirt cheap at they were in the past. However, good coverage can be found for less than $1000 a year, which, though not inexpensive, is far less than the associated costs of declaring a HIPAA breach.
In my opinion, ransomware is the biggest risk that dental offices face in 2021. I hope these 6 articles offer a road map for how to protect a practice’s most valuable asset—patient data—without affecting workflow or budget too much. Feel free to email me at firstname.lastname@example.org with any questions or suggestions for future topics.