Security experts and software makers have an abundance of information for consumers and businesses on what exactly ransomware is, what it looks like, and how to prevent being victimized. But that does not mean it is easy to prevent, say consultants who advise companies like LT/PAC providers on how to best combat cyber security in general and ransomware in particular.
Michael Schneider, software developer, network security for Richardson, Texas-based SimpleLTC Systems, says providers need to be aware that protecting vital data from criminal hackers is also not as simple as meeting compliance requirements under federal laws.
While HIPAA mandates the privacy of personal health information, it doesn’t tell providers what files to encrypt or any other specific measures to take. “If you follow the letter of the law, but not the spirit of the law, you may leave yourself open in a lot of ways to things auditors may not even check,” Schneider says. “It is complicated. You can be HIPAA-compliant and definitely still be affected by something like ransomware.”

HIPAA Based On Concept, Not Process

Angela Rose, director of health information management practice excellence for the American Health Information Management Association (AHIMA), agrees that HIPAA was written to be flexible in its guidelines for physical, administrative, and technical safeguards.

“Technical is all techy stuff and also includes encryption and things like that,” she says. “Now encryption is not a mandated law. There is no law that says you have to have your stuff encrypted.”

However, Rose says, the bottom line is, providers have to have encryption. “Because, for example, with breach laws, when a breach happens there are many, many steps you have to follow based on the breach,” she says.

“Like for instance the facts of the breach have to be reported to the Office of Civil Rights [OCR] based on the size of the breach,” she says. “However, if you lose a laptop and it is encrypted, it is not considered a breach because the laptop was made more difficult to get into. If not encrypted, then it is a breach.”

Rose says with new types of threats appearing all the time, like ransomware, it is important to know that HIPAA has not been updated in some time, leaving much room for providers to take action above and beyond what the law says.
“It was written to stay as a floor, not a ceiling, and wanted to allow for technological advances,” Rose says. “But what has happened in the way of cyber security threats is beyond what people could have expected, tenfold. For when it was written, it is now probably due for an update.”

Jason JonesGuidance Calls For Reports On Attacks

Regarding OCR’s July guidance on what constitutes a breach, Rose says the writing is on the wall that the feds want even smaller breaches and ransomware attacks reported. The reason for this is that even if ransomware strikes and no data are stolen per se, there is no guarantee protected health information was not accessed and possibly copied or stored without the victim provider knowing it.

For SimpleLTC, which is a wholly owned subsidiary of Briggs Healthcare and creates  LT/PAC software for regulatory compliance, reimbursement optimization, and quality measurement, ransomware attacks are a clear and present danger. Jason Jones (pictured), chief technology officer for SimpleLTC, says it had one fairly large customer that fell victim to an attack, but it was not clear if it paid a ransom to get its data unlocked.

Maintain Backups On Separate Systems

Although his company is not technically a security firm, SimpleLTC works closely with clients and their technology executives on making sure cyber security is in place to prevent problems. “The biggest things to do for protection are to have backups that are not connected to everything else; you cannot have data stored on the same systems that are being affected or else backups can become encrypted as well,” Jones says.

AHIMA’s Rose says beyond technical steps to prevent cyber attacks, providers must have leadership from the top if they expect to get good results on the day-to-day preventive measures put in place.

“HIPAA requires sanctions, policies and procedures, that you have training of all of your staff and hold them accountable,” she says. When Rose speaks to groups, she talks about building privacy and security into the culture of their environment. She encourages companies to make it part of an annual employee evaluation.

“Remember, you cannot hold anybody accountable for something that you never made them responsible for,” she says.