What Does a Ransomware Attack Look Like To Patients?
One of my favourite podcasts is Help Me with HIPAA. This weekend I listened to Episode 304 Ransomware Creates a Social Media Privacy Violation Storm while I was spring-cleaning my yard.
Donna and David discuss in (almost) real time a ransomware attack that was currently occurring at the San Diego California’s main health systems, Scripps Health. The attack resulted in practically all of its technology being taken down. The EHR went down, patient portals were down, appointments had to be rescheduled, patients had to be diverted to other hospitals… even their website was down.
This podcast episode isn’t about the technology about ransomware. Donna and David walk you through the impact on patients – from the inconvenience and frustration to the disastrous consequences of not having health information available when it is most needed.
This gripping story reveals how communication failures, systems failures and a lack of information snowballed to negatively affect patients when they needed help the most.
My Takeaways From This Help Me With HIPAA Episode
Ransomware is nefarious and its impact is far-reaching.
- Patient care is compromised – patient information is not accessible, and it is unknown what information can be retrieved and, if it is retrieved, if it is complete and accurate.
- Privacy breach – obviously! The hackers have patient, employee and business information and have threatened to release it publicly.
- BUT – employees are also continuously breaching privacy while they are responding to patient concerns on social media DURING the ransomware attack.
- Employees cannot access their information to do their jobs – work schedules, payroll, portals to perform their jobs. So, alternate, unauthorized workflows are implemented to get the job done which subsequently results in more breaches.
- While the press release from Scripps Health indicates that they have trained and prepared personnel, the communication from Scripps to patients, employees, and the public has been disorganized, conflicting, and continuously breaching privacy and confidentiality.
I urge you to listen to this episode (about 30 minutes).
[Start at 18:19 minutes]
What Would You Do?
How would you and your team respond to this type of privacy breach?
Share this episode with the members of your incident response plan. Then, use the scenario to conduct a table-top privacy breach fire drill using your privacy breach management plan.
These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.
Now hop over and listen to the Help Me With HIPAA episode to better understand what a ransomware attack looks like to a patient.
https://helpmewithhipaa.com/privacy-questions-everywhere-ep-304/ [Start at 18:19 minutes]