Black Talon Security CEO Gary Salman says there are steps plastic surgery practices can take in the aftermath of a cyber-attack to mitigate the damage (and follow the law).

By Tonya Johnson

Being the victim of a cyber-attack feels like an emotional assault against everything a doctor has worked for in his or her medical career. Gary Salman, CEO of New York-based Black Talon Security, has witnessed attacks’ devastating aftermath.

“The biggest problem is that 99% of private practices do not have a plan, and they have no idea what to do next,” he says.

The recovery process from a ransomware cyber-attack takes at least 7 to 14 days, in Salman’s observation. If your private practice facility is a victim of cyber-crimes, Black Talon Security advises 5 steps to help prepare for what’s to come in the weeks and months ahead.

  1. Immediately unplug your network connection to the internet, and remove any backup drives. There’s a chance that the hackers haven’t taken out the facility’s external backup drives.
  2. Call a cybersecurity company before demanding your information technology (IT) vendor gets your practice back online. While most practitioners will be anxious to have their IT team get the office’s network running again, most IT companies are not trained to investigate cyber-crimes. Hackers are even known to use the IT vendor as a vulnerable entry point to attack. Cybersecurity firms guide the practitioner through the correct steps and processes to work toward the best possible outcome. Ideally, it’s best to engage with the company before you need the service.
  3. Call an attorney. An attorney can provide important information on the legal ramifications—including violations of HIPAA guidelines. Salman finds that about 90% of doctors don’t report cyber-attacks—due to lack of knowledge of the law or concern about the IT company’s reputation among other clients.
  4. Report the cyber-attack as a crime. Under HIPAA, a ransomware attack is a data breach. As a crime, cyber-attacks must be reported to local authorities. Not only do hackers often gain access to a patient’s personal data, cyber-criminals, are also privy to confidential medical photos from patient procedures. Some individual states across the country have more stringent laws than the federal laws.
  5. Regain the trust of your clients, reassure your staff, and get ahead of a potential public relations nightmare. As a condition of employment, have employees agree to a nondisclosure agreement that explicitly states they are not to discuss any cyber-attacks outside of the practice. If an attack occurs, put an action plan in place to communicate a reliable, trustworthy message to your clients and medical staff—“Here’s what happened, here’s how we plan to fix it.” Also notify any outside medical specialists who may have collaborated on a client case. Through an attorney, public relations firm, and compliance company, craft a letter to the patients explaining what happened, if data was compromised, offer identity theft monitoring service, and provide a company contact number for patient questions and concerns.

In most cases, it’s best for patients to hear about the cyber-attack from their practitioner directly because it builds their confidence in the provider. In general, the more transparency you provide, the better. But always work under the advisement of an attorney.

Tonya Johnson is associate editor at Plastic Surgery Practice.