The Optometric Minute

The Growing Ransomware Threat: What If Your Data is Held Hostage?

April 12, 2017

Ted McElroy, OD, was shocked to find his practice cyber-attacked by ransomware that encrypted all of his business files and patient data, essentially freezing his practice. After exploring his options, he paid a $3,000 ransom to the hijackers to get back in business. On investigation, he corrected weaknesses in his backup system, and he devised a defensive plan should an attack happen again. Data hijacking is part of a growing trend, as cyber criminals target medical practices and health care systems as easy prey and willing payers. How prepared are you to defend against cyber criminals?

Defensive Plan: Continually monitor your backup to be sure it’s working and archived offline. If attacked, be prepared to wipe clean your entire computer system and re-install it. Negotiate with hijackers to send you the key to open your data, not for their price, but for what it costs you for your IT personnel to re-install. Estimate: three hours or $300.

HIPAA Concern: Are you sure your patient data has not been breached? You may be required to inform all patients of a potential breach of their patient data and payment method.

BACK UP FILES. Back up your files both on external hard drives (around $100 a piece at an office supply store) and also back it up in the cloud using a service like Carbonite, or one its competitors. The cost of backing up your data online depends on the amount of data you have to back up. In the case of Dr. McElroy’s practice, it costs just $89 a month to back up online, “in the cloud.”

GET WHOLLY IN-THE-CLOUD. Choose an electronic health records and practice management system that resides wholly in the cloud. EHR/practice management systems that reside entirely online, in the cloud, guarantee the security of your data as part of your contract with them, and if the information is encrypted by a hacker, they are the ones who are responsible for paying the fee to unlock it, and if the information is breached and exposed, they are responsible for paying damages to your practice to cover related expenses and the potential loss of patients.

DON’T LOAD NEW SOFTWARE FROM E-MAIL. When loading a new piece of software onto your server, first load it onto a zip drive. Then, do a virus scan to make sure no viruses are present, and only then load onto your server.

FURTHER READING: Learn more about ransomware–and how health care providers are being targeted:

Has Health Care Hacking Become an Epidemic?

Why Hackers Are Going After Health-Care Providers

Healthcare is a Win-Win Target for Hackers

Guidance on public disclosure of breach:

Health & Human Serves Data Breach Notification Rule

 

Ted McElroy, OD, is the owner of Vision Source Tifton in Tifton, Ga, and the president of SECO. To contact him: tam6767@gmail.com

Save

Save

Save

Save

Save

Save

Save

Save

Save

Save

To Top