DO you have responsibility for your own IT systems? Consider the following scenario.
You open up the practice for the day and start the computer systems. You are confronted by an on-screen message: “Your Computer Files have been Encrypted and Locked… This is unfortunate although for a small fee all of your Files will be returned to their original location as if nothing ever happened.” And you are given instructions on how to pay a “ransom” in Bitcoin.
You try another machine…..one by one it appears that all are locked. Switching off and on doesn’t help.
This is what confronted computer systems around the world just over a month ago in a massive cyber attack that affected thousands of organisations both large and small, including the NHS, and replicated similar attacks on a number of American hospitals.
But back to our scenario – you might now want to consider some questions:
- Do you have someone in the practice who manages the IT system?
- Do you have a third party who supports the IT system?
- Are staff aware of cyber risks?
- Do you have a backup copy of patient information?
Perfect – you do have a backup but unfortunately it’s backed up in the office with no external copy of the patient files. What do you do next?
MDDUS advice is first to contact any existing ICT support service urgently and ask them to assist. Should you not have ICT support or a service arrangement, source a specialist company experienced in dealing with ransomware. If you have a backup dataset do not use it until you have had the system declared ‘safe’ by a specialist.
Consider reporting the matter to the Information Commissioner’s Office (ICO). If you store personal data which has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO may consider that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act. This can result in a fine and/or audit requirement from the ICO. Details may be placed in the public domain. Please also note that from May 2018 the new General Data Protection Regulations(GDPR) will be enforced which will require reporting data breaches to the ICO.
If information has been destroyed by the attack then you may have to consider notifying the patients affected. Bear in mind if you decide not to report the matter to the ICO, your patients may do so. Contact the Actionfraud.police.uk website who can advise on next steps. Contact your bank if any payment systems are impacted.
The source of ransomware is usually an email sent with a corrupted attachment. You should make sure that a third-party ICT support service will:
- Install up-to-date virus and malware software.
- Regularly check the virus and malware protection on the system.
- Create regular back-ups offsite and test regularly.
- Train staff to query emails which contain attachments.
You should also ensure that you have a contract with any third-party ICT support to agree liability and associated cover for your loss but bear in mind that you cannot cover the reputational damage caused by this type of event.
- If you don’t understand computers – engage experts who do.
- Train staff not to open suspicious emails and know what to do with them.
- Ensure you have a backup of patient information kept offsite.
Alex Lyons is senior information governance adviser at MDDUS