Two dental technology companies recently had their systems held hostage by ransomware attacks, affecting an estimated 400 dental practices.
If you are a dental professional that relies on a third-party company to store your patients’ protected health information (PHI), you must have a Business Associate Agreement (BAA) in place to ensure that you are not held liable for such third-party failures. You can get a free BAA for your practice by signing up for CEDR’s on-demand HIPAA training program, which is free to use for the first year.
What Is Ransomware?
Ransomware is malicious software that encrypts the data on a system so that it cannot be accessed by the owner of the data (or anyone else who relies on it). The information cannot be decrypted (or accessed) until the company pays a ransom to the attackers.
The use of ransomware by hackers is on the rise.
In August, two dental technology companies had their systems attacked by ransomware. The two companies stored PHI for their customers (dental practices), including full medical records. One day it was there, the next it was completely inaccessible.
Medical and billing records were suddenly gone for all practices that used the software that had been hacked. For some, even their appointment schedules and patient contact information were gone. All those practices could do was wait for patients to show up and then tell them that they could not be seen.
Your business doesn’t need to be hacked directly to suffer from a ransomware attack.
It wasn’t even the provider’s systems that were hit with ransomware — it was the software vendors’ systems, which had been trusted as the custodian of the dental providers’ data. The practices themselves could have done everything right and this still would have happened.
HIPAA guidelines and IT best practices tell dental practices to encrypt PHI in order to prevent attackers from accessing the data. Had the practices not encrypted through their third party software companies, those practices could have been facing an enormous HIPAA breach.
What happened here, unfortunately, is that the data was properly encrypted, and therefore PHI wasn’t accessible to the attackers. What the attackers did was re-encrypt that already-encrypted data, making it virtually impossible to access without both encryption keys. This made it so that the dental practices couldn’t access any of the information they needed to run their businesses.
This incident highlights two key HIPAA requirements.
First, practices need to have a contingency plan.
A contingency plan is your backup option — what you would do if all of your data was suddenly gone. A contingency plan is required by HIPAA. It could also prove useful if you ever find yourself in a situation in which a third party with access to your patients’ PHI is hacked.
Ask yourself if you could continue to operate if all of the electronic PHI you rely on was suddenly gone. If the answer is “no,” then you need to put a contingency plan in place, not only to comply with HIPAA, but to also have a plan if something like this happens to you.
Practically, this will mean backups — backups that are stored somewhere separate from the primary system that houses the data. Even paper or removable media back-ups could be necessary. Generally, this is within the purview of your IT provider and wouldn’t be something you do yourself, but it should be something you make sure your IT provider does.
The other key requirement is solely your responsibility: the Business Associate Agreement.
When a dental or medical practice gives any third party access to its patients’ PHI, if that third party isn’t already covered by HIPAA then it is considered a “business associate.” The practice is therefore required by HIPAA to enter into a Business Associate Agreement (BAA) with them.
What is a Business Associate Agreement?
A Business Associate Agreement is essentially a contract saying that a third party (or “business associate”) who is given PHI by a healthcare practice must protect that data as if they were covered by HIPAA regulations themselves.
How does a BAA work?
The effect of a BAA is very important: it shifts the legal liability of protecting PHI shared between a practice and a third-party business associate from the practice to the business associate.
If the business associate doesn’t follow the regulations and the PHI is breached or ransomed, then the business associate is liable for any resulting fines or lawsuits — instead of the dental or medical practice. If a business associate agreement is not signed, then the practice is liable for whatever the non-provider does with that PHI.
If any of the healthcare-provider customers of the two companies who had their data ransomed failed to execute a BAA prior to the attack, those providers could be in for some stiff penalties.
The BAA is much more than a simple formality — it is a tool intended to help you shift liability away from your practice and onto any business who might potentially mishandle your patients’ PHI.
As with the mandate that healthcare providers have a contingency plan for accessing and protecting PHI, executing a BAA is also required by HIPAA. But, in addition to being a legal requirement, BAA’s are also critical pieces of legal protection for any healthcare provider that gives its patients’ PHI to non-covered entities for any reason.
For more about Business Associate Agreements, or to download the official model template from CEDR, take a look at
CEDR’s HIPAA Training Knowledge Base
. If you have not yet registered for your free one-year trial of CEDR’s HIPAA training program, click here to sign up so that you can access that information.