We hope you have read about the reporting on potential ransomware attacks on US hospitals and perhaps other health care providers. If you have not, please review this guidance from the government agencies involved in this investigating this set of attacks.
Obviously, ensuring that your systems are aggressively protected and monitored in this immediate time frame is of particular importance. You also should consider whether to review your existing backup systems or other alternative means of accessing your critical medical information in advance of an attack (rather than waiting). In addition, please consider the following steps over the course of this situation.
- Contact law enforcement if you are attacked – the FBI is involved in these investigations.
- Pay careful attention to internal efforts to protect your systems and obtain access to this information. This should include consideration of privilege issues in relation to future litigation and/or investigations.
- Evaluate the impact of any attacks in terms of generating notices to patients or others, as required by HIPAA and/or state law. Ransomware attacks create particularly complicated questions in connection with breach notification obligations.
- Implement your incident response plan thoughtfully and efficiently – and make sure that you revise it going forward to incorporate any lessons learned
- During the event and following it, ensure that you are reviewing what happened and how your systems and policies can be improved. HHS in particular pays close attention to these remediation and improvement efforts when it is conducting investigations under the HIPAA rules.