From the ADA Center for Professional Success:
HIPAA requires providers to maintain access to health records, in addition to protecting data from breaches. The HIPAA Security Rule is designed to protect the confidentiality, integrity, and availability of health information. Because ransomware is designed to deny access to data, there could be HIPAA implications for a dentist office that falls victim to it.
Plus this from ACS Technologies:
Last week we attended our annual DIA (Dental Integrators Association) conference. While speaking with our fellow colleagues we were informed that the amount of ransomeware that has infected clients was astonishing. Almost every IT Provider in attendance had multiple practices experience ransomware.
Ransomware is a cyber attack using malware that prevents access to computer data by encrypting the data files. The victim is required to pay a ransom to retrieve the encryption key. Usually the hacker demands payment in a very short time, just a few days. After the time expires, the encryption key is no longer available.
Once you get caught there is no easy out for ransomware. Often, but not always, the ransomware attack includes your backups. You either pay up or lose your data.
This has HIPAA implications. HIPAA not only mandates that you keep patient records confidential it also mandates that you keep them safe and available for future use. If you lose the records, for whatever reason, that is a HIPAA violation. It is also a violation of the data is exposed to an outside entity. It does not matter if the data is exploited it is a violation just if it is exposed. Which it is, almost by definition, with a ransomware attack.
The best approach is prevention. Train your staff to recognize suspicious e-mails. Maintain strict Internet use protocol. Run daily backups and keep a copy off site not connected to your main server. Contract with a competent IT professional to set up and maintain your cyber defenses.