What to do if you suspect that your computer may have been compromised or hacked
The U.S Department of Health & Human Services’ (HHS) list of breaches affecting 500 or more individuals includes the relatively small “Hacking/IT Incidents” category. While not the most common form of HIPAA breach, hacking and other IT incidents, such as phishing or malware infections, can create a serious problem for health care providers. In fact, one company in this category faced a breach that involved more than 200,000 individuals. Take a moment to read the following tips from the ADA legal team. It might even be a good idea to print this information and use it as a checklist to help you keep your office computer network safe.
Protect sensitive data on business and personal computers
- Download and begin using full-disk encryption software.
- FREE software is available, and some can cost as little as $100.
- Encrypting your computers can save money on cyber liability insurance (see below).
- If the encryption software complies with HHS encryption guidelines1, you may not have to report a breach in the future.
- Password-protect files containing Protected Health Information (PHI)2 or Personally Identifiable Information (PII3).
- Consider obtaining cyber liability insurance.
- Avoid unnecessarily downloading files containing PHI or PII onto your computer’s hard drive.
- Do not collect any unnecessary PII from patients.
- Purchase anti-malware/anti-virus software and set it to run every night.
- Regularly check for and install security updates.
- Adopt an emergency action plan to handle cyber security breaches in your office.
- Understand and comply with applicable laws, regulations and contractual obligations, such as HIPAA, state data security law and the Payment Card Industry Data Security Standards (PCI DSS4).
- Provide comprehensive employee training on preventing and responding to security breaches.
Determine if your computer and/or sensitive data may have been compromised
Your computer and/or sensitive data may have been compromised if any of the following has occurred:
- Your anti-malware/anti-virus program discovered spyware or viruses on your system.
- Your bank accounts were accessed as the result of a phishing scam.
- New programs or unfamiliar files have been installed on the computer.
- Login credentials for any website have been changed without your knowledge.
- You experience frequent, random pop-up windows with ads or system warnings.
- You have been told that spam is being sent from your email account.
- Your computer is consistently running slower than normal and a system restart doesn’t fix this issue.
Take Immediate Action When Necessary
What to do right now if you suspect you’ve been hacked
- Don’t panic: the installation of malware or a virus infection doesn’t always mean that PHI, PII or other sensitive data was improperly accessed.
- Don’t shut down your computer: Malware often resides in a computer’s memory and not the hard drive; turning off the computer will erase the memory, and with it, evidence of the cyber attack.
- Back up your most important files and data onto an external hard drive.
- Run anti-malware/anti-virus software on all network computers (generally, all computers in your office): Computers on a network can communicate, which means an infection on one computer could affect other computers in the same network.
- Determine if the affected computer held PHI and/or PII of patients or employees:
- If it did, or if you are unsure, continue to Step 1 below.
- If it did NOT, continue to Step 2 below.
Step #1: What to do if the affected computer contained PHI and/or PII
- Determine who in your practice needs to be made aware of the incident and when to inform these individuals5.
- Contact a computer expert to investigate the extent of the problem To find a computer expert, ask friends for recommendations, visit your nearest Best Buy or Apple store, or call your computer’s technical support hotline Experts can find and remove the malware and assess the full scope of the breach Work with the professional to determine what files were accessed Work with the professional to repair the damage done to your computer system so you can resume normal business activities.
NOTE: HIPAA covered entities must have a Business Associate Agreement in place if the professional may have access to PHI.
- Call your attorney for legal guidance on state and federal breach notification laws.
- If PHI may have been exposed to an unauthorized individual, consult trusted sources to ascertain your reporting obligations.
- If PII may have been exposed, refer to your state’s reporting guidelines.
- Check your cyber liability insurance policy (or your general liability insurance policy) for information about reporting this event; contact your carrier(s) if you have questions regarding coverage or responding to and resolving this event.
- If credit or debit card information was compromised, check the relevant agreement(s) with any credit card company or financial institution to determine your contractual obligations; you may need to provide notification of the event.
- Depending on the nature of the event, you may want to contact your local or state police computer crimes unit and/or the FBI for guidance.
- For information about identity theft involving social security numbers, see the ADA publication, “Protecting Yourself from Identity Theft”
- Begin keeping a log of daily activities and who performs each action in response to this event. This may be important if there is a lawsuit against you in the future.
Step #2: What to Do if the Affected Computer did NOT Contain PHI and/or PII
- Run anti-malware/anti-virus software to remove the infection.
- Run anti-malware/anti-virus software on all computers on the same network as the infected computer.
- If necessary, contact a computer expert to help restore your computer back to working order (for more information, see section “What to Do If the Affected Computer Contained PHI and/or PII”).
- Take extra steps to ensure that all business and personal computers are protected in the future (for more information, refer to the first section of this document).
1 These guidelines are available at the US Department of Health and Human Services
2 PHI refers to information protected by HIPAA. In general, PHI includes information about past, present, or future physical and mental health or condition, health care, or payment for health care, which identifies an individual or can be used to identify an individual.
3 The definition of PII varies from state to state. In many states it includes an individual’s name (first and last, or first initial and last name) along with his or her social security number, credit or debit card number, driver’s license or state ID number, or account number. In certain states PII also includes other information, such as health information or health insurance information.
4 For information about PCI DSS compliance, see PCI Security Standards.
5 Sometimes notice of a suspected hacking incident needs to be withheld for law enforcement purposes. If you are working with law enforcement, you should follow any instructions they provide to you. However, in most instances, privacy and security officials in your office should be notified promptly. Other owners, business managers, and staff members should be notified as necessary within a reasonable amount of time.