It is recommended that you not pay the ransom. Doing so only funds cybercriminals and encourages them to continue their bad acts. More importantly, paying the ransom does not guarantee you will be able to regain access to the encrypted files. Victims who pay are often provided with inadequate encryption keys that either don’t work at all or decrypt only some of the files.
You Might Also Like
Explore This IssueNovember 2017
Also By This Author
Instead of paying the ransom, restore affected files from reliable backups. Your IT manager or vendor should be able to assist with restoration. It is certainly mitigating if you can conclusively prove that all affected data has been restored to the state that it was in immediately prior to the ransomware infection.
Once the forensic investigation and restoration are final, work with your legal counsel to analyze the incident. A risk assessment under HIPAA is a very complex analysis of the facts and their interplay with HIPAA. Therefore, it’s important to work with an attorney who specializes in data privacy. Failure to work with a specialist could result in an improper determination that a breach did or did not occur, which carries with it the risk of reputational harm, potential OCR investigations, and fines and penalties. For this reason, the analysis must be properly conducted by someone with significant experience.
The unfortunate truth is that in today’s age, it is not a matter of if a breach will happen, but instead when will a breach happen. Although this mentality seems pessimistic at best, treating data privacy in this manner will enhance your compliance and mitigate risks to your system. Taking a proactive approach to compliance enables you to determine your system’s weaknesses and overcome those weaknesses with little or no repercussions, as opposed to waiting for a breach to happen to rectify any system vulnerabilities.
Cybercriminals are becoming more and more sophisticated each day, so now is the time to evaluate your system and confirm that you are situated the best you can be in the event a security incident. Don’t wait until it’s too late, or you may find yourself on the wall of shame.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC. Contact him via email at [email protected].