Episode 305 – 6 Ransomware Planning Tips of the Help Me With HIPAA podcast is a follow up to episode 304 – Privacy Questions Everywhere. What is scary is, in the Privacy Questions Everywhere episode, Donna and David discuss a ransomware attack on San Diego, California’s main hospital system, Scripps Health, and how it was literally playing out on Facebook. Then, in the 6 Ransomware Planning Tips episode, they talked about the Colonial Pipeline ransomware attack, and now we have yet another attack on the JBS beef supplier. JBS has paid 11 million dollars to resolve the ransomware attack and the U.S. Department of Justice is categorizing investigations of ransomware attacks to a similar priority as terrorism. So, I guess we are safe now that the Department of Justice is on the job, right? WRONG!!! We all need to start protecting our business and ourselves from these kinds of cyber attacks.
As the title of episode 305 suggests, Donna and David outline six ransomware response planning tips. What do you think the number one tip is? Yes, to have a plan and write it down. How are you going to protect yourself or your business if you don’t have a plan in writing to help you in a time of crisis? Make sure your plan has your response team named so you will know who to start coordinating the response with. The plan should have points of contact for things like your managed service provider, law enforcement, lawyers, local authorities, insurance policy agents, etc. And speaking of insurance policies, do you know what exactly your insurance policy covers? Ensure that you have a plan to communicate with your customers, patients, clients and the public. Also, include in your plan how you will communicate with the public and, more importantly, how you will NOT communicate with the public. Here’s a couple of tips: Do NOT use Facebook as a form of communication! And, do NOT use postcards, either! Using these avenues for communications could cause you to have a separate breach of protected patient information.
Remember, it is not IF you get hit with ransomware, but WHEN you get hit. You need to have a detailed incident response plan. This plan should be in writing and your staff should be trained on what they should and should not do during a crisis. Do periodic audits of the plan in case your point of contact’s change, new coverage is added or system processes change. Think about how to handle a crisis before it happens. Trust us, you don’t want to get hit with a crisis and then start preparing for it.