There are allegations that a ransomware attack at a medical center contributed to the death of an infant. An article in the Wall Street Journal discusses a lawsuit that has been filed against Springhill Medical Center in Alabama, for the death of an infant. This is the first know lawsuit against a medical provider for an injury or death related to the EHR being unavailable due to ransomware.
There are three major components of the HIPAA Security Rule.
- Integrity; and
A breakdown of any of these three elements is a HIPAA Violation. When a medical provider experiences a ransomware attack all three components can be compromised. This article will discuss availability.
Under the HIPAA regulations, you EHR must be available for you when you need it to make a medical decision about patient care. If the patient records are not available, it can have a significant negative impact on the quality of care provided. Vital clinical information is not available, and it is possible that medications, therapies, tests or other modalities could be ordered that are contraindicated based upon the patient’s medical status. This situation can result in patient harm.
It is your responsibility to safeguard the availability of the medical records you maintain so that patients are protected from harm of this nature. Among the steps that you can take to protect the availability, or your patient records are to have the following elements in place:
- A downtime contingency plan
- A disaster recovery plan
- Regular data backups
- Policies and procedures for proper use and maintenance of your computers and network equipment
Each of these elements should be part of your office HIPAA security plan. It is also important for you to test these elements on a regular basis. You should test your backups to make sure that if you need them, they can be used to restore your data. This will often require you to work with your software vendors and send a copy of the backup to the vendor and have them test the restore process. You should look at your downtime contingency plan and take each of the steps in the plan to make sure that you will be able to function and care for patients during computer downtime. And finally, you should test your disaster recovery plan. Testing a disaster recovery plan is technically more complex and will need to involve your software vendors, IT vendors and your staff to simulate a disaster that disables your computer systems and then go through the steps of rebuilding your systems to a fully functional state.
As a medical provider, your patients are putting their health in your hands, you have a responsibility to make sure that the medical records that are vital to their health are available to you when you need them to make a medical decision.
For more information about HIPAA compliance and any of the items in this article please contact TLD Systems at http://www.tldsystems.com via email at info@tldsystems or by phone at (631) 403 6687.