It may have been a happy Halloween for some, but for one particular business, it was most definitely a haunting day they won’t soon forget. Today, our Office for Civil Rights’ horror story is about a company called Doctors’ Management Services. They got ransomware-attacked and now they are paying a $100,000 fine to the government.
So, what happened? Well, it all started back in April 2017, when someone got unauthorized access to Doctors’ Management Services’ network. But the company didn’t notice until December 2018, by then the ransomware had enough time to encrypt all their files and it was almost too late to stop it from happening.
That’s right, folks. Ransomware is a type of malware that encrypts your files and then demands a ransom payment in exchange for the decryption key. It’s a super nasty type of malware, and it’s becoming more and more common especially in healthcare.
So, what did DMS do wrong? Well, for one thing, the OCR discovered after an investigation that the DMS didn’t have an updated security risk analysis in the first place. And second, they weren’t monitoring the health information systems’ activity, along with a lack of policies and procedures. If you know anything about compliance this is a recipe for a costly fine from the OCR, $100,000 to be exact.
So, what can we learn from this story? Well, we can learn that it’s important to have an updated risk analysis, proper policies & procedures and sufficient security systems in place to protect patient data from ransomware attacks. We can also learn that it’s important to make sure all employees are trained on what to do to protect PHI and what the proper steps are to take when an incident occurs. From our experiences here at Abyde, it’s best to be proactive rather than reactive when it comes to protecting PHI.
If you’re already getting a headache thinking about how you will make sure your practice is protected, we know, and that’s what we’re here for. As compliance experts we aren’t going to advise you to take Tylenol for that headache but better yet we can suggest letting Abyde handle your compliance program for you. We will be sure to take that headache you’re experiencing out of compliance while also making sure your practice has everything it needs to be protected for any future incidents!
To learn more about HIPAA compliance, please visit www.abyde.com.