The cost, the hassles and the fines to DCs for ransomware attacks and ransomware removal
Every month the risk of having your office shut down forever (or a doctor of chiropractic or other health care organization having to spend an average of $158,000 in fines and repairs for ransomware removal) relative to a ransomware attack goes up and up. This year is already proving to be another record setter, with massive increases in attacks against small and medium-sized chiropractic and health care offices.
A successful ransomware attack is a HIPAA violation
A ransomware attack is also an automatic HIPAA (Health Insurance Portability and Accountability Act) violation, as these attacks cannot be successful if you are following all HIPAA rules – including required documented and formalized policies, risk analysis and mitigation plans.
The only chance for protection against a ransomware attack is prevention. Having a complete HIPAA program in place and following it closely is the only way to help prevent these attacks. When I started traveling to teach HIPAA in 2010 (presently teaching for 40 state associations and four chiropractic colleges), there were major problems regarding HIPAA compliance on the horizon for chiropractors, but nothing like we see today.
At that time no one had heard of ransomware attacks, whereas now, I am often contacted by 2-4 chiropractors per month who have been hit by ransomware and are petrified regarding the practice devastation, ransomware removal, potential HIPAA fines and their required interactions with government enforcement agencies.
Cybersecurity = HIPAA
In the health care field, everything you hear on the news regarding cybersecurity — which is every time you turn on the news – must be changed, in your mind, to HIPAA, because in the health care world, HIPAA equals cybersecurity.
It is the law that dictates what we are required to do, as covered entities, under HIPAA, to prevent cyberattacks. The world has changed, and if you don’t change, you will get swallowed-up — unfortunately more and more chiropractors are experiencing this very phenomenon.
The national average cost to solve a ransomware attack is $158,000. Chiropractic offices and other primary care practitioners are typically on the smaller end of institutional size and the typical costs including ransomware removal are more in the area of $90k or less, but that can still shut down many practices. Prevention is the key.
Some take the attitude, ‘Let them come after me. If I get hit I will just close down and declare bankruptcy!’ Unfortunately, that may avoid some costs, but government fines are like IRS actions and are not typically discharged in a bankruptcy.
Ransomware removal, losses and violations
Approximately 89% of all cyberattacks are now ransomware. When you experience a ransomware attack you typically arrive at your office, you boot up your computer to get the new day going, and there’s nothing on your computer’s screen except a message that says, “We have your data.”
If it’s “weaponized ransomware” they have probably had that “worm” or virus in your hard drive for a long time, not just that day, and they have likely captured your back-up data as well — which is why backing up your data (and even keeping copies of old back-ups) is important.
They will also make a demand for a certain amount of money to get your data back and then give you a time limit to pay. Example: “Within the next five hours it will cost $10,000 to get your data back, and if you don’t pay within five hours it will go up to $20,000, and if you don’t provide that within 24 hours we will release/sell your data on the dark web and you will never see it again.”
‘Brick’-ing your computer
With weaponized ransom ware they may also have the ability to destroy your computer from a distance.
So, let’s say you decide to pay $15,000 to get your information back. That is the start of your money problems. This is HIPAA violation because, if you had a HIPAA program in place and were following the legally-required policies and rules, in all likelihood, you would not have succumb to a ransomware attack.
You are supposed to know this and therefore this type of violation can be declared “willful neglect,” and if it falls under willful neglect that’s a minimum $59,255 fine (they can also add punitive damages, if they choose). You may also be required to pay the expenses incurred by your patients to monitor their credit. If 1,000 patients were breached, at a cost to you of $10 per month for a year, that would equal $10,000 per month.
You will also face the costs of a forensic examination by IT experts to determine who and how many patients were breached, etc. This can easily cost $10-20K, and in regard to ransomware removal you will likely need new software and hardware replacements. You can easily see how fast costs can rise and how devastating such an attack can be if not prevented.
You are required to protect private patient information, especially when this information is going into cloud-based systems or somebody else’s server or somewhere other than in your office. You have to make sure this information does not get breached and create a reason for a patient to say, “Hey, I think you mishandled my information and I’m filing a complaint with the government.”
Watch your data associations
When you’re working with an EHR company’s electronic medical records storage (even if the information is stored onsite, or in your office), if the company has access to your data they are considered a business associate.
If said business associate does not protect the information that you give them, and something goes wrong and that information is breached, then you, the doctor, are liable, unless you have a BAA (Business Associate Agreement) in place. You are the one in charge of and responsible for protecting your data, so this is a critical requirement under HIPAA law.
There is always a human component when information is breached — someone did what they shouldn’t do, or didn’t do what they should do. We all want to protect our patient information, just like you want your data protected when you go to the dentist, etc. If you don’t have a solid HIPAA program in place, what will be your defensible position when the government comes knocking? “I didn’t know” does not work.
New CARES ACT, HIPAA regulation
As of the writing of this article there is a new CARES ACT law going into effect, along with a new HIPAA regulation. These mainly relate to new fines and requirements regarding blocking information from patients who have requested same — the point being, the requirements are continuously changing and you are required to keep up or be fined, and most offices need help doing this.
You have to have a defensible program in place or you will get fined to death. The government by law must investigate every complaint, and they are presently two years behind, which means you could be in trouble now and not know it for another two years.
Why do you want to lose sleep at night over that? Get a HIPAA program in place now.
I am constantly amazed by the increased ransomware attack numbers. They grow faster and faster and it is compounded by the fact that many who are attacked do not take massive, immediately steps to fix the problem — and once a practice is attacked, there is a 95% greater chance they will be attacked again.
I still travel the United States and, even in this day and age, find chiropractors, medical doctors and dentists who don’t do what they need to do to have their data security and HIPAA program in place. They think, “Well, I’m okay because I have training once a year where I talk about HIPAA and patients sign records releases and I think we’re probably okay.” It is time to face facts — hiding your head in the sand, in these modern times, just makes your practice a bigger target.
TY TALCOTT, DC, CHPSE, is a certified HIPAA Privacy and Security Expert (CHPSE) and president of HIPAA Compliance Services. He has consulted for thousands of health care practices relative to business development and protection. He can be contacted at (469) 371-8804 or at DrTyTheComplianceGuy.com.