Q&A: Ransomware recovery

Q. We’re a small clinic and were just hit with ransomware. We do have a plan to recover and have clean backup data to restore from. Is there anything we’re missing?

A. After a ransomware attack, it’s important to preserve the evidence. One mistake clinics and other entities make following a ransomware attack is to unplug and rebuild servers. If the evidence of the ransomware is not preserved, law enforcement has no information to go on when it comes to investigating the attack. Also, any evidence indicating a breach of unsecure PHI may be destroyed. 

In 2016, OCR issued guidance regarding ransomware. CEs and BAs have a responsibility to assess whether a breach of unsecure PHI occurred and by destroying the evidence of the attack, it is likely that it can’t be determined if a breach of unsecure PHI occurred. In that case, the clinic would need to assume that all of its PHI has been compromised because it can’t determine whether a breach occurred. This can be very costly for the clinic and its patients.

It’s a good idea to review the clinic’s incident response plan to ensure preserving the evidence is part of the plan. The plan must be communicated and periodically tested to validate that it reflects the current systems in use and that all staff are trained on each step.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Nicole Votta at nvotta@hcpro.com.