Do not turn off computer because turning it off may destroy evidence. Take a photo of the screen.
Disconnect internet to computer and network. Do not use any device or computer connected to the network until expert has cleared it.
Contact IT service to examine computers, network and all backups.
Contact cyber liability coverage carrier and implement incident response plan.
IF YOU DO NOT HAVE CYBER LIABILITY COVERAGE
- Do not pay ransom.
- Report incident to local law enforcement and to the FBI through ic3.gov
- Document all information related to the incident, including date and time of incident, what individual was doing when incident occurred and results of expert analysis of the information system.
- If forensic analysis documents that data was not accessed and you continue to have access to all PHI, proceed to do a HIPAA breach assessment to determine next steps.
- If unable to access PHI or expert analysis confirms probability PHI was accessed by unauthorized individuals, initiate steps for breach notification. This may include reconstructing the patient information held.
- To reconstruct the information, start with the most recent backup that has been cleared of any problems. Contact dental benefit companies for copies of EOBs. Contact the bank for deposit information.
- If employee information is impacted, contact payroll company.
- Data breach notification requirements and a sample notification letter are available on cda.org.
TDIC reported in 2021 that the cost to one dental practice to return to normal operations after a cyber incident was close to $100,000.
IF YOU DO NOT HAVE AN INCIDENT RESPONSE PLAN
Having a plan is a HIPAA requirement. The intent of having a plan is to help an organization before, during and after a cyber security incident.
- Understand what could have been done to prevent the incident, or limit its impact to the practice. For example, implement regular system monitoring or provide additional staff training or do additional backups.
- Perform a risk analysis as required by HIPAA. Refer to HIPAA Security Rule-A Summary for information on a minimum level of security.
- Develop a detailed plan for when a cyber incident occurs. Consider:
- Schedule, printing it each day or week.
- Patient notification. Employees who are also patients should get the same notification.
- Employee notification if employee information is affected.
- Vendor notification, with priority on vendors who access your network, for example, a merchant card processor.
- Staff roles and responsibilities during and after the incident.
- Additional communications, for example, to off-site staff.
- Evaluation of additional technology and security safeguards for implementation.