This is only one of the many questions we asked Mr. Andre about cyber security and how healthcare facilities can protect themselves. Check out all of them here:

Our guest on Healthcare Matters is Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP). In part 7 of our What You Need to Know: Hospital Ransomware Attacks , we ask Mr. Andre how hospitals can protect patient data during these types of attacks and how does HIPAA play a role? This information is important in the wake of the numerous hospital attacks occurring all around the country, including the attack on Hollywood Presbyterian Medical Center.

Transcript

Mike Matray: In the healthcare arena, there’s HIPAA, which protects the patient’s personal medical records, and there’s quite a substantial fine if that is compromised. How does HIPAA come into play here? Did the malware that was injected into Hollywood Presbyterian actually compromise the patient data, or will they be able to just move along as if nothing had happened and we just paid this ransom and everything’s good now?

Tom Andre: There’s nothing that I’ve seen publicly that indicates that anything was compromised in terms of patient data. It doesn’t sound like it. Most Ransomware seems to be just opportunistic. They want to get a ransom and they’ll give you your files back. They don’t seem to be trying to ex-filtrate data at this time.

I think, if I were looking at this from the perspective on any hospital administrator, I would wonder about…and I don’t know what happened specifically at Hollywood Presbyterian, but a couple of things that the HIPAA hi-tech requires is, first of all, that you have a disaster recovery plan. And I think it sounds like the disaster recovery plan at the hospital was invoked, and they went to paper and phone and fax.

The other thing is to have adequate backups, and you have to ask yourself, as an administrator, if this were to hit me, would I have sufficient backup so that I wouldn’t necessarily have to pay the ransom? Maybe I could just say, “I’m just going to go back to my last backup. I’m gonna isolate the computers that have been infected, and then I will restore from backup.”

What’s adequate backup? HIPAA hi-tech is not really specific on that. I’m sure there’s a continuum where if your last backup was two months ago, no one would say that was adequate. But whether it’s 12 hours ago or 24 hours or four hours ago, I don’t know that that’s really been defined. I think that’s the one area where someone could possibly have CMS look at what they’re doing and didn’t think they were adequate backups. I don’t know that that would be the case. I don’t know if there’s even something that they concentrate on right now.

Mike Matray: Well, fantastic. It’s been a wonderful conversation with you. As more events come up in healthcare data security, I’d love to have you come back on the show.

Tom Andre: I’d be happy to do that.