One of the biggest mistakes physicians and practice managers can make is to assume they will not be a target of cyberattacks. Unfortunately, this is absolutely untrue. Recently, a two-physician practice in West Michigan was the victim of a ransomware attack. The practice lost access to all medical records, billing, scheduling, and other critical data after ransomware attackers encrypted all data on their computers and network. The attackers demanded $6,500 for a decryption key to unlock all the data on the practice’s computers. Instead of paying, the physicians decided to retire so they wouldn’t have to deal with it. All of their records were permanently lost. All of their patients had to find new physicians without access to any of their medical history. Cyberattacks not only affect the practice’s business operations–they affect patients too.
What Is Ransomware?
Ransomware is a type of computer virus that infects and encrypts all data on a network. Users lose the ability to access anything on the network. For a physician practice, this means no access to patient medical records, billing, financial records, insurance verification, scheduling, and more. Ransomware attackers typically extort money by displaying an on-screen alert stating the user’s systems have been locked or the files have been encrypted. The user is informed that unless a ransom is paid, access will not be restored. Ransomware is usually spread by phishing attacks or click-jacking (when a user is tricked into clicking on something that looks useful but takes them to the criminals’ sites). For more information on ransomware, watch the youtube video below.
What Makes Medical Practices a Target?
With the passage of the Patient Protection and Affordable Care Act (PPACA) in 2012, all public and private healthcare providers were required to adopt electronic health records (EHRs). Although the intentions of this were good, a drawback is that health care providers become dependent on computers as part of everyday operations. To be fair, it wasn’t just the passage of the PPACA—our society has grown highly dependent on computers for everything we do, both personal and business, making computer systems prime targets. Not being able to use your computers coupled with not having access to all your data is a devastating scenario for any business. Cyber hackers know this all too well and ransomware is among their best weapons.
The cyber attackers in the West Michigan attack demanded $6,500, and although this may be a relatively small amount for a professional business, there are other financial and legal issues to consider. Even if the practice agreed to pay the $6,500, they would still have had to hire highly specialized forensic IT professionals to ensure no trace of the virus remained. In some cases, computer systems would need to be completely rebuilt. Revenue will be lost from even a day of not being able to see patients. Then there are the legal costs. Are there HIPAA violations? Do the attackers have a copy of all the data that was on the system? Will patients sue the practice for not being treated? The cost implications could easily add up to over $100,000—staggering for a small business.
How to Avoid Being Victim to Ransomware
Although the impact of ransomware can be devasting, there are actions medical practices can take to protect themselves.
- Backup all data routinely and have a recovery plan for all critical information. Perform and test regular backups to limit the effect of data or system loss and expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from your network for optimal protection.
- Keep operating systems and software up to date with the latest patches. Outdated applications and operating systems become vulnerable and are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date antivirus software, and scan all software downloaded from the internet prior to executing.
- Restrict users’ abilities (permissions) to install and run software applications, applying the principle of least privilege required to all systems and services. Restricting privileges to users and machines that truly require them limits the likelihood that malware will be installed and can limit its ability to spread through your network.
- Avoid enabling macros from email attachments. If a user opens a malware attachment and enables macros, embedded code will execute the malware on the machine.
- Do not follow Web links in unsolicited emails.
To learn more about Cybersecurity and Using Health Care IT, join us on Facebook, Twitter, and LinkedIn.
Cybersecurity Guide Available to Members of Smart Business Great Medicine.
