Latest HIPAA News

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

Posted by HIPAA Journal

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018.

Three Phishing Attacks: 31,800 Records Exposed

The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 11,000 Minnesotans exposed.

The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made.

During the time that the account was accessible, the attacker potentially accessed emails in the account which included protected health information. MNIT was unable to determine whether any PHI had been viewed or copied. The account contained information such as names, contact information, dates of birth, treatment data, legal histories, and two Social Security numbers. No reports of misuse of PHI have been received.

Minnesota IT Services (MNIT) reported the breach to the FBI and, on April 9, 2019, DHS notified the Department of Health and Human Services’ Office for Civil Rights, the Office of the Legislative Auditor, credit reporting agencies, the media, and state senate and house representatives. Individual notices have also been sent to all individuals affected by the breach.

Since being notified about the breach, DHS hired a contractor to assess the contents of the email account to check for protected health information. Due to the number of emails in the account, that process took some time to complete. DHS says the account review was completed on March 21, 2019.

It is unclear from the DHS breach notification letter when the breach was discovered. DHS said MNIT provided details of the breach investigation on February 15, 2019. While breach notifications were issued to affected individuals within 60 days of DHS discovering the breach, in compliance with HIPAA, there was a major delay in the breach being reported to DHS by MNIT.

It took four months before notifications were issued to alert individuals about the previous two phishing attacks, and more than a year for individuals affected by this phishing attack to be notified.

State Government Agencies Suffer 700 Security Incidents in 10 Months

A senate hearing took place in October last year following the announcement of the other two phishing attacks. At the hearing it was made clear that MNIT was simply not prepared for the volume of cyberattacks and lacked the resources to deal with them.

MNIT explained at the hearing that more than 700 security incidents involving state government agencies had to be dealt with by MNIT up to October 2018, including 150 phishing attacks. On average, state employees were sent an average of 22 phishing emails a day.

Up to October, the state government had experienced 80 cyberattacks that required manual analysis and 240 sets of employee credentials had been compromised. At the hearing, MNIT CISO Aaron Call explained that “the frequency and profitability of attacks are increasing, and the cybercriminals are getting more funding.”

Since receiving notification about the latest breach, DHS has implemented additional security measures to prevent further phishing attacks. These include a tool that blocks links and email attachments in emails sent to state employees. DHS says the tool would have prevented this and past breaches from occurring.

Policies and procedures have also been revised at DHS and MNIT has said it is now immediately reporting breaches to agency data practices or privacy staff to allow them to analyze the incidents to determine whether data have been exploited. DHS has said it is continuing to provide employees with training to help them identify increasingly sophisticated cyberattacks against DHS.

The post Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks appeared first on HIPAA Journal.

Data Security Incident Response Analysis Published by BakerHostetler

Posted by HIPAA Journal

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018.

BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches.

In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered.

This has led many companies to create committees to help manage data breaches, which include stakeholders with expertise in each of the above areas.

Most Common Causes of Data Breaches

An analysis of 2018 incidents shows phishing remains the most common cause of data breaches, accounting for 37% of all incidents managed by the law firm in 2018. The most common type of phishing attack seeks Office 365 credentials. 34% of phishing attacks in 2018 resulted in an Office 365 account being accessed by the attacker.

  1. Phishing Attacks – 37%
  2. Network Intrusions – 30%
  3. Accidental Disclosures – 12%
  4. Lost/stolen devices and records – 10%
  5. System Misconfiguration – 4%

30% of successful phishing attacks saw the attackers peruse the network to find accessible data. 12% of intrusions resulted in the deployment of ransomware, and 8% resulted in a fraudulent wire transfer. In 1% of cases, a successful phishing attack resulted in the deployment of malware other than ransomware.

55% of successful attacks occurred as a result of a mistake by employees, 27% were due to a non-vendor unrelated third party, 11% were due to a vendor, 5% of attacks involved a malicious insider, 3% were due to a non-vendor related third party, and 2% were due to an unrelated third party.

Incident Response, Investigation and Recovery

In 2018, 74% of breaches were discovered internally and 26% were identified by a third-party.

The average time to detect a breach across all industry sectors was 66 days. It took an average of 8 days to contain the breach and 28 days for a forensic investigation to be completed. The average time to issue notifications was 56 days.

Healthcare data breaches took an average of 36 days to discover, 10 days to contain, 32 days to complete a forensic investigation, and 49 days to issue notifications. Healthcare data breaches required an average of 5,751 notification letters to be sent.

There was an increase in investigations by OCR and state Attorneys General in 2018. 34% of breaches resulted in an investigation by an Attorney General and 34% were investigated by OCR. Out of 397 breach notifications issued, 4 lawsuits were filed.

There has been an increase in the use of forensic investigators following a breach. 65% of breaches involved some kind of forensic investigation compared to 41% of incidents in 2017. The average cost of a forensic investigation was $63,001 and $120,732 for network intrusion incidents.

The average ransom payment that was paid was $28,920 and the maximum was $250,000. In 91% of cases, payment of the ransom resulted in the attacker supplying valid keys to decrypt files.

70% of breaches required credit monitoring services to be offered, in most cases due to the exposure of Social Security numbers.

BakerHostetler also notes that following a data breach there is often an increase in access right requests. It is therefore important for companies to have established and scalable access right request processes in place to ensure they can cope with the increase following a security breach.

Interactive Data Breach Notification Map

Healthcare organizations are required to comply with the HIPAA Breach Notification Rule which requires breach notification letters to be issued to affected individuals within 60 days of the discovery of a breach of PHI.

States have also introduced their own breach notification laws, which differ from HIPAA and may, in some cases, require notifications to be issued more rapidly. To help companies find out about the breach notification requirements in each state, BakerHostetler has compiled an interactive data breach notification map.

Using this interactive tool, organizations can find out about the breach reporting requirements in each state. The interactive data breach notification map can be viewed on this link.

The post Data Security Incident Response Analysis Published by BakerHostetler appeared first on HIPAA Journal.

FDA Considers New Review Framework for AI-Based Medical Devices

Posted by HIPAA Journal

AI-based medical devices can be used to identify diseases and individuals at risk of developing medical conditions. They can perform a great deal of time-consuming work on behalf of doctors and radiologists and can help to speed up the diagnosis of diseases. Faster diagnoses mean patients can receive treatment more quickly at a time when it is most likely to be effective. They can also help to identify the most effective treatments to allow personalized medicine to be provided.

Currently, the U.S. Food & Drug Administration (FDA) performs reviews of medical devices as part of its market authorization processes. Generally, in order to be granted market authorization the algorithms used by the devices need to be locked and not have the ability to learn each time they are used.

These locked algorithms can be subsequently updated by developers at intervals using new data, but after those updates have been applied, the devices need to be subjected to a further manual review and the updated algorithm must be validated.

The FDA authorized two AI-based medical devices in 2018: An AI-based device which can detect diabetic retinopathy and another that can generate alerts for providers of potential strokes in patients. The FDA anticipates there will be many more such devices developed for use in healthcare and is looking to formalize the review process.

In healthcare, there is tremendous potential for adaptive algorithms that continuously update rather than those that require periodic developer updates. Adaptive algorithms learn from new data through real world use and get better over time.

These algorithms could, for example, be used to identify cancerous lesions. Adaptive algorithms could learn to improve the level of confidence in detections of cancerous lesions and could potentially identify different sub-types of cancer based on real-world feedback.

The FDA is looking to develop a regulatory framework that will allow AI-based medical devices to be authorized for use which incorporate machine learning and is considering easing restrictions on adaptive algorithms. To start that process, the FDA released a discussion paper on a new framework for the AI-based medical devices on April 2, 2019.

The framework is based on the FDA’s benefit-risk framework, the International Medical Device Regulators Forum risk categorization, the risk management principles of the software and the device manufacturer’s total product lifecycle.

In certain situations, it would be necessary for the device makers to provide the FDA with a new submission and obtain additional approval, but in general, the framework would not require additional reviews to be conducted for updates to the devices made through their adaptive algorithms.

The document is only a discussion paper that outlines the FDA’s thinking. It doesn’t count as guidance, but it does start a conversation about medical devices that use adaptive algorithms and shows the FDA appreciates that its current regulatory framework for software-as-a-medical device needs to change.

The FDA has detailed its proposal in the PDF document: Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device. The FDA has requested feedback on the proposed document, which can be downloaded here.

The FDA say the document is “the foundational first step to developing a total product lifecycle approach to regulating these algorithms that use real-world data to adapt and improve.”

“As algorithms evolve, the FDA must also modernize our approach to regulating these products. We must ensure that we can continue to provide a gold standard of safety and effectiveness. We believe that guidance from the agency will help advance the development of these innovative products,” said FDA Commissioner Scott Gottlieb, M.D.

The post FDA Considers New Review Framework for AI-Based Medical Devices appeared first on HIPAA Journal.

Hardin Memorial Health Cyberattack Results in EHR Downtime

Posted by HIPAA Journal

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime.

The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack.

The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units.

Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt.

Upon discovery of the security breach, emergency procedures were implemented, and an IT assessment was conducted to determine the nature and extent of the incident. That assessment is ongoing, but most of the issues associated with the attack were resolved within 24 hours.

Extra staff were brought in over the weekend to assist with its remediation efforts and to conduct administrative processes manually until systems could be brought back online.

“A combined team of some 40 internal IT and patient care specialists, complemented by external experts, importantly including our Baptist Health partners, worked over the weekend to resolve issues quickly and is working on the assessment,” said Troutt.

The hospital was well prepared for system downtime. The Hardin Memorial Health IT team regularly tests emergency procedures to make sure they can be implemented quickly and are effective at preventing disruption to patient services. Extra protocols have already been implemented to reinforce system security.

This incident shows that while it may not be possible to prevent all cyberattacks, with tried and tested backup and emergency response plans it is possible to recover from a cyberattack quickly and prevent disruption to patient services.

The post Hardin Memorial Health Cyberattack Results in EHR Downtime appeared first on HIPAA Journal.

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Posted by HIPAA Journal

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules.

The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, receive their latest blood sugar reading, and check the status of their prescriptions.

This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.

Amazon has stated that it plans to work with many other developers through an invite-only program to develop new skills to use within its HIPAA-eligible environment. Amazon is offering those organizations business associate agreements to meet HIPAA requirements. The initial roll-out has been limited to six new HIPAA compliant Alexa skills as detailed below:

New HIPAA Compliant Alexa Skills

The purpose of the new skills is to allow patients, caregivers, and health plan members to use Amazon Alexa to manage their healthcare at home through voice commands. The skills make it easier for patients to perform healthcare-related tasks, access their health data, and interact with their providers.

The six new HIPAA compliant Alexa skills are:

Express Scripts

Members of the Express Scripts pharmacy services organization can check the status of a home delivery prescription and can ask Alexa to send notifications when prescriptions have been shipped and when they arrive at their door.

Cigna Health Today

Employees who have been enrolled in a Cigna health plan can use this Alexa skill to check wellness program goals, receive health tips, and access further information on rewards.

My Children’s Enhanced Recovery After Surgery (ERAS)

Parents and caregivers of children enrolled in Boston Children’s Hospital’s ERAS program can send updates to their care teams on recovery progress. Care teams can also send information on post-op appointments and pre- and post-op guidance. Initially, the skill is being used in relation to cardiac surgery patients, although the program will be expanded in the near future.

Livongo Blood Sugar Lookup

Participants in Livongo’s Diabetes Program can query their latest blood sugar reading from their device, check blood sugar monitoring trends such as their weekly average reading, and receive personalized health tips through their Alexa device.

Atrium Health

Atrium Health’s new Alexa skill allows patients to find urgent care locations near them and schedule same-day appointments, find out about opening hours, and current waiting times. Initially the Alexa skill is being offered to customers in North and South Carolina.

Swedish Health Connect

Providence St. Joseph Health has created an Alexa skill that allows patients to find Swedish Express Care Clinics in their vicinity and schedule same day appointments at 37 of its locations on the west coast.

The post Amazon Announces 6 New HIPAA Compliant Alexa Skills appeared first on HIPAA Journal.

Malware Alters CT Scans to Create and Remove Tumors

Posted by HIPAA Journal

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans.

The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment.

In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism.

Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient appear healthy could have much more serious implications. Treatment could be delayed until a point when it is too late to be effective.

The researchers used a deep learning neural network called a generative adversarial network to alter the CT scans intercepted by the malware.

The attack scenario demonstrated by the researchers would require a man-in-the-middle device to be built and physical access to a hospital. The device could be planted close to the scanner, such as at night when there is less chance of detection. With the device in place it would be possible to intercept CT scans and manipulate them at will.

The researchers created such a device from a Raspberry Pi 3 which was connected to a USB to Ethernet adapter. Both could be purchased for around $40.

The device was loaded with the Raspbian OS and was configured as a network bridge and set up as a WiFi access point. Once connected to the network, the device was capable of intercepting scan data as it was sent to the PAC system. The attacker had full control over scan data and could alter it at will and create or remove any number of tumors while retaining the same anatomy as the original scans.

But how effective is the malware at altering CT scans? Were the alterations good enough to fool trained radiologists?

In tests, 70 images were manipulated. The accuracy of the alterations was such that it was possible to fool three radiologists in 99% of instances where fake tumors were added and 94% of images where real tumors were removed. The altered images fooled AI systems every time.

When the radiologists were made aware that scans had been altered, in a second test using a mix of genuine and doctored images, they were still fooled by 60% of the images that had tumors added and 87% of images where tumors had been removed.

In the tests, the researchers used lung scans and injected fake tumors, but brain tumors could be created or removed just as easily and the system could be used on a wide range of health conditions such as bone fractures, blood clots, or spinal problems.

The alteration of images would be difficult to detect as scans are typically not encrypted nor digitally signed. Healthcare organizations are usually good at implementing robust perimeter controls to prevent attacks from remote threat actors but are less good at protecting internal networks. This eggshell approach to security leaves hospitals vulnerable to attacks conducted inside the facility by malicious insiders.

A video of the simulated attack can be viewed on the following link: https://youtu.be/_mkRAArj-x0

 

The post Malware Alters CT Scans to Create and Remove Tumors appeared first on HIPAA Journal.

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter.

Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals.

Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation.

There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits.

An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain access to information systems. These attacks are often sophisticated, but even relatively simple attacks are dangerous due to their persistence.

The aim of the attacks is to stealthily gain access to information systems and steal information over a long period of time. “Advanced” comes from the techniques used to access networks and remain undetected, such as the use of malware. “Persistent” refers to the length of time that systems are accessed and information is stolen. Several APT groups have succeeded in gaining access to healthcare IT systems in the United States and have used that access to steal sensitive patient information and propriety healthcare data.

Zero-day exploits – or zero-day attacks – involve the use of previously unknown vulnerabilities to attack organizations. By their very nature, these types of attacks can be difficult to prevent. Since the vulnerabilities are only known to hackers, no patches exist to correct the flaws.

Oftentimes, vulnerabilities are discovered as a result of them being exploited. Patches are promptly released to correct the flaws, but hackers will continue to take advantage of the vulnerabilities until systems are patched. It is therefore essential to apply patches promptly and ensure that all operating systems and software are kept up to date.

Once a zero-day vulnerability is publicly disclosed it doesn’t take long for an exploit to be developed. Oftentimes, exploits for recently discovered vulnerabilities are developed and used in attacks within days of a patch being released.

If patches cannot be applied promptly, such as if extensive testing is required, it is important to implement workarounds or other security controls to prevent the vulnerabilities from being exploited. The use of encryption and access controls can help to ensure that even if access to a network is gained through the exploitation of a vulnerability, damage is minimized.

OCR has warned of the danger of combination attacks involving APTs and zero-day exploits, such as the use of the NSA’s EternalBlue exploit. Within days of the exploit being made available online, it was incorporated into WannaCry ransomware which infected hundreds of thousands of computers around the world. A patch for the vulnerability that EternalBlue exploited was released by Microsoft 2 months before the WannaCry attacks. Organizations that patched promptly were protected against the exploit and WannaCry.

Healthcare organizations and their business associates can Improve their defenses against zero-day exploits and APTs by implementing measures outlined in the HIPAA Security Rule. OCR has draw attention to the following requirements of the Security Rule which can help prevent and mitigate zero-day exploits and APTs:

The post OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits appeared first on HIPAA Journal.

Study Reveals Health Information the Least Likely Data Type to be Encrypted

Posted by HIPAA Journal

Health information is the least likely data type to be encrypted, even though health information is highly valuable to cybercriminals, according to the Global Encryption Trends Study conducted by the Ponemon Institute on behalf of cryptographic solution provider nCipher.

The study was conducted on 5,856 people across several industry sectors in 14 countries, including the United States. The aim of the study was to investigate data encryption trends, the types of data most likely to be encrypted, how extensively encryption has been adopted to improve security, and the challenges faced by companies when encrypting data.

The study shows the use of encryption has steadily increased over the past four years. 45% of surveyed organizations said they have an overall encryption plan or strategy that is applied across the whole organization. 42% said they have a limited encryption plan or strategy, with encryption only used on certain applications and data types. 13% of respondents said they do not use encryption at all on any type of data.

The use of encryption varies considerably from country to country. Germany leads the world with the highest prevalence of encryption, followed by the United States, Australia, and the United Kingdom. Out of the 14 countries represented in the survey, the Russian Federation and Brazil had the lowest prevalence of encryption. 65% of companies in the United States had an overall encryption plan that was consistently applied across the whole organization.

The industries that had the highest prevalence of encryption were tech & software (52%), financial services (50%), and the healthcare and pharmaceutical industries (49%).

Encryption technology varied considerably and there was no single technology that dominates in organizations. The most common uses of encryption were for Internet communications, databases and laptop hard drives.

The main reasons for implementing encryption, cited by 54% of respondents, were to protect sensitive intellectual property and customers’ personal information.

The types of data most commonly encrypted are payment-related data (55%), financial records (54%), HR/employee data (51%), and intellectual property (51%). Health information was the least likely type of data to be encrypted. This is surprising, given the value of healthcare data to cybercriminals and the harm that can be caused should information fall into the wrong hands. Only 24% of respondents said health data was routinely encrypted.

Organizations looking to encrypt data face several challenges. The biggest challenge which was faced by 69% of respondents was identifying all sensitive data on the network. The initial implementation of encryption was a major challenge for 49% of respondents and 32% of respondents said they faced problems classifying which data they should encrypt.

One of the biggest encryption headaches is key management. Respondents were asked to rate key management on a pain scale of 1-10. 61% of respondents said key management was very painful and managing keys was a major challenge.

The main reason why key management is difficult is a lack of clear ownership of the key management function, a lack of skilled personnel, and isolated or fragmented key management systems.

Various key management systems are used by organizations, the most common being formal key management policy (KMP), followed by formal key management infrastructure (KMI) and manual process.

The post Study Reveals Health Information the Least Likely Data Type to be Encrypted appeared first on HIPAA Journal.

Michigan Practice Forced to Close Following Ransomware Attack

Posted by HIPAA Journal

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors.

The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible.

The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required.

The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment.

Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch.

The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to have been viewed or accessed prior to files being deleted so there is not believed to be any risk to patients; however, patients who had not obtained copies of their medical records prior to the ransomware attack will have lost all records stored by the practice.

That will naturally come at a cost to some patients, who may have to have medical tests performed for a second time. One patient at the practice told WWMT that her daughter had had surgery and she was attempting to schedule a follow up appointment when she discovered that her medical records have been lost. She must now visit another provider, but that provider will have no details about the surgical procedure.

The practice will officially close on April 30, 2019, until which point, patients can contact staff at the practice who will provide referrals.

The incident highlights just how important it is to ensure backups of all data are made. All backups must be tested to ensure they have not been corrupted and file recovery is possible.

A good best practice to adopt is the 3:2:1 approach. Create three backup copies, on two different types of media, and store one copy securely off site on an air-gapped device – One that is not networked or accessible over the internet. In the event of a ransomware attack, systems may be taken out of action and computers may need to have software reinstalled, but at least no data will be lost.

The post Michigan Practice Forced to Close Following Ransomware Attack appeared first on HIPAA Journal.