By Emmie Futrell, Class of 2018; Robb S. Harvey, Partner at Waller; Elizabeth N. Pitman, Counsel at Waller

The government, through the United States Department of Justice, has increased its efforts to respond to cyberattacks, a hot-button issue that extended across disciplines in 2017. The newly created Cyber-Digital Task Force has been charged with developing policies to combat global cyber terror and involve federal law enforcement on the front lines of this virtual battlefield.

The OCR’s January and February 2018 OCR Cybersecurity Newsletters provided targeted tips to HIPAA-covered entities and business partners to prevent cyber extortion as a means to obtain ransom money and to avoid the consequences of phishing attacks. The OCR recommended training, vigilance and bolstering defenses by encrypting and backing up sensitive data and training workforce. Specifically, OCR provided the following list of suggestions:

1. Train employees to identify unusual emails and other messages that hackers could use to break into your system.
2. Document suspicious activity and review those logs regularly.
3. Perform a risk analysis that looks at the entire organization and addresses known risks.
4. Use anti-malware programs to prevent access by malicious software proactively.
5. Implement and test cyberattack recovery plans.
6. Encrypt and back up sensitive data.
7. Stay on top of new and emerging cyber threats, perhaps by signing up for governmental alerts known as US-CERT alerts, which are generated by the government’s National Cyber Awareness System and received via email or an RSS feed and provide timely information about security issues
8. Be wary of unusual emails and text messages
9. Use multi-factor authentication
10. Stay updated with anti-malware software and system patches

These measures can both protect and prove cost-effective.

The 2017 Ponemon Data Breach report found that the healthcare industry in the United States stands to lose the most from a data breach, with the average cost per lost or stolen record at $380. Estimated savings for companies that only chose to extensively encrypt information are $16 per record and, companies that have a prepared Incident Response Team and Plan could save $19 per record. Saving these costs per record could significantly lessen the inevitable economic impact of a large-scale breach. The report made clear that time is of the essence in a breach, a sentiment that has been echoed by the OCR’s guidance and HIPAA’s response requirements.

Implementing the OCR’s guidance can help healthcare companies save costs when faced with cyber extortion. Many of the suggestions from the OCR will also ensure that HIPAA standards are satisfied. For example, documenting suspicious activity will be key in creating the necessary paper trail in the event of an OCR investigation. This type of documentation is already required by HIPAA. Implementing cyberattack recovery plans like training an Incident Response Team and developing contingency plans, including the possible necessity of paying the ransom, will guarantee that the breach can be identified and contained as quickly as possible and data availability and integrity are maintained. These measures will ensure that electronic health records and other healthcare information continue to be a pathway towards innovation, rather than a backdoor for an insidious attack.