By Jack Anderson
April 12, 2017
Ashland Women’s Health, a solo, obstetrician-gynecologist practice in Ashland, Kentucky on April 4 reported to the Department of Health and Human Services a hacking incident affecting 19,727 patients, according to the HHS Office for Civil Rights’ “wall of shame” website listing major breaches impacting 500 or more individuals.
That incident involved a recent ransomware attack that encrypted data on the practice’s electronic health record system, including its patient scheduling application, an Ashland Women’s Health spokeswoman says.
Many small practices rely on their hope that they will never be subject to a HIPAA audit. They are careful with patient information, they lock up their files and have firewalls on their computers. They feel safe.
Then one day they try to log in to their EMR and they are locked out. They then get an email demanding ransom to unlock their systems. No matter what happens from here on they are in big trouble. They can restore their systems from backups, if they were diligent about backups, and they can notify their patients. Perhaps pay for credit insurance for their patients. But regaining their patient’s trust might be a bigger job.
What if the breach triggers an OCR audit. It might start innocently with a request for their most recent risk assessment. This does not mean a HIPAA checklist but an actual formal risk assessment. Then they might get requests for updated policies or documentation of staff training on security awareness.
The question physician practices should ask themselves is, Are you audit ready today?