Ted McElroy, OD, was shocked to find his practice cyber-attacked by ransomware that encrypted all of his business files and patient data, essentially freezing his practice. After exploring his options, he paid a $3,000 ransom to the hijackers to get back in business. On investigation, he corrected weaknesses in his backup system, and he devised a defensive plan should an attack happen again. Data hijacking is part of a growing trend, as cyber criminals target medical practices and health care systems as easy prey and willing payers. How prepared are you to defend against cyber criminals?
Defensive Plan: Continually monitor your backup to be sure it’s working and archived offline. If attacked, be prepared to wipe clean your entire computer system and re-install it. Negotiate with hijackers to send you the key to open your data, not for their price, but for what it costs you for your IT personnel to re-install. Estimate: three hours or $300.
HIPAA Concern: Are you sure your patient data has not been breached? You may be required to inform all patients of a potential breach of their patient data and payment method.
BACK UP FILES. Back up your files both on external hard drives (around $100 a piece at an office supply store) and also back it up in the cloud using a service like Carbonite, or one its competitors. The cost of backing up your data online depends on the amount of data you have to back up. In the case of Dr. McElroy’s practice, it costs just $89 a month to back up online, “in the cloud.”
GET WHOLLY IN-THE-CLOUD. Choose an electronic health records and practice management system that resides wholly in the cloud. EHR/practice management systems that reside entirely online, in the cloud, guarantee the security of your data as part of your contract with them, and if the information is encrypted by a hacker, they are the ones who are responsible for paying the fee to unlock it, and if the information is breached and exposed, they are responsible for paying damages to your practice to cover related expenses and the potential loss of patients.
DON’T LOAD NEW SOFTWARE FROM E-MAIL. When loading a new piece of software onto your server, first load it onto a zip drive. Then, do a virus scan to make sure no viruses are present, and only then load onto your server.
FURTHER READING: Learn more about ransomware–and how health care providers are being targeted:
Guidance on public disclosure of breach: