Perhaps you thought it would never happen to an office your size, or that you were protected, but it’s happened anyway: your practice’s computer systems have been compromised and patient protected health information (PHI) may be at risk. Here are five steps to take if your practice experiences such an incident:
1. Call for help
At the first sign of unusual computer activity—frequent crashing, slow servers, files that won’t open—get help. Unless you have a full-time IT pro who’s well-versed in computer forensics and HIPAA regulations, you’re going to need outside experts.
“You’d never recommend do-it-yourself surgery,” says Lee Kim, JD, CISPP, director of privacy and security at the Healthcare Information and Management Systems Society North America. “Retain a consultant that has a forensics background.”
But don’t make the call yourself. Call your attorney instead, and have him or her engage the tech team, says Mark Dill, a longtime HIT professional and principal consultant at TW-Security.
“If the lawyer formalizes the engagement, the work is oftentimes considered part of attorney-client privilege,” Dill says. That may allow your response to the breach to remain confidential during potential litigation.