In August of 2019, the Battle Creek Enquirer reported that a local medical clinic opted to close permanently instead of paying $6,500 to regain access to their patient records. There’s much more to recovering from a ransomware attack than the ransom. This clinic was clearly overwhelmed by the prospect of dealing with fines and the cost of notifying all patients their information had fallen into the wrong hands.
There’s no escape from privacy regulations.
The article does not go into detail about how regulators handled the ransomware breach under HIPAA. Clearly it’s not possible to shirk responsibility completely. And the drastic option of closing your clinic when ransomware gets in is not one many would consider.
Beyond legal obligations, clinics have an ethical responsibility to protect patient information. In the USA under HIPAA, covered entities must notify patients after their PHI has been exposed or stolen. Suffering a breach like this is detrimental to a practice or practitioner’s reputation.
According to the College of Physicians and Surgeons of Alberta (CPSA), “A regulated member who closes or leaves a medical practice is responsible for the secure storage and disposition of the patient records from that medical practice.” So simply shutting down a medical practice in the province doesn’t cut it. A custodian, or regulated member, is responsible for the records they collected.
Avoid ransomware infections with proper privacy compliance, security, and training.
According to the 2019 HIMSS Cybersecurity Survey, “E-mail is the most common initial point of compromise for significant security incidents”. So any complete security and privacy compliance plan should limit the use of email and train staff on how to recognize inbound attacks.