As you read this, malicious hackers are scanning the web for practices with lax computer security to steal valuable data
The message flashed on the computer screen in front of the startled doctor. “We have your data and will release it once you send us $500 in Bitcoin.” After a frantic call to IT support and a second $500 Bitcoin deposit, the doctor learned that all of his practice data, including billing records, documentation and appointment schedules were gone, never to be returned.
A cybercriminal’s dream
Your practice is not just vulnerable to a ransomware attack — it is an active target. The personal information contained in your electronic records holds tremendous value on the black market. One reason it is so valuable is that it can be used to develop whole new identities through identity theft.
Ransomware is a particularly malicious software hack that poses a serious threat to all health care organizations. Chiropractic practices are a particularly attractive target as they have the mother load of data including patient financial information, addresses, social security numbers, health care information, and at times driver’s license and credit card information. It is a cybercriminal’s dream and every doctor’s Health Insurance Portability and Accountability Act (HIPAA) security breach nightmare.
While hospitals and larger health care organizations typically have entire departments staffed with employees who police their privacy protection and ensure their software is up to date, this is not the case in most physicians’ offices. Doctors typically don’t get very involved in this part of their practice, and for this reason there often are very poor security systems set up. Their nephew or local IT provider is running their server without any knowledge of HIPAA security requirements. When they are hacked and data is breached, physicians’ offices are much less protected and prepared.
At significant cost
The loss of your data to ransomware means reverting to paper, ink and telephones to coordinate care. Without your digital appointment schedule, keeping track of current and missed appointments becomes a guessing game. Patients must be asked to update their insurance information and new examinations must be scheduled for all active patients. The cost to a practice in lost revenue and additional staff hours can be staggering. In the event of a breach of unencrypted patient information, reporting requirements can include patient notification, publication of the breach in local news sources and on your website, and informing the Department of Health and Human Services of the occurrence. The damage to your good reputation can be difficult to recover from, if not irreparable.
There are many tactics that can make a significant difference in the security of your data and how prepared you will be in the case of an attack. However, the most significant challenge for most chiropractors is will power. Many practices do not address information security simply because they view it as too big to handle. Taking a common-sense approach and putting in place the required systems is not that difficult. This is not the time to hope the problem will disappear or that the odds of your data being held hostage are too small.
The “internet of things” introduces another vulnerability to your data. It is now common for equipment such as x-ray machines, monitors and scanners to have operating systems that can be hacked, especially when connected through your Wi-Fi network. These devices can provide a portal to infiltrate your entire system. They are sitting ducks for ransomware.
Prepare your cyber defenses
Preparing for a cyber attack is similar to delivering patient care. The ideal approach blends a dose of prevention along with tools for an acute response. In most cases, this doesn’t have to be expensive and doesn’t require sophisticated software. Begin by working with your existing connections. Contact your EHR provider and other vendors and ask them questions. The security rule contained in HIPAA can also provide guidance.
The roadmap for security improvement starts with education. After all, ransomware usually requires someone to click on a malicious link in order to unleash the software onto your network. When your employees learn and understand the dangers, they can become your first line of defense. Teach your staff to stop risky online behavior, even when a link looks like it is from a familiar place, like a Facebook post or an important document. It is unrealistic to think that your staff is going to stop emailing or posting on social media. However, you must have a realistic policy. Every member of your practice team must be educated about the risks of ransomware, email and social media.
Once the education piece has been accomplished, technical preparation is the next step. Information isolation is a key principle. If your sensitive information is housed on a server, it must be safeguarded behind a firewall between the server and the broader internet. Any electronic communication with patients should be through an encrypted portal or other forms of secure messaging and not through general email. Gmail and other similar email programs are not HIPAA secure. Installing anti-malware and anti-virus software on both computers and printers can also help.
If disaster strikes and you become a victim of a ransomware attack, having backup files is the key to recovery. You may not pay the ransom, but you will likely still have to restore your data. Several companies offer real-time backup stored in a remote location. If you back up your data on external hard drives, regularly check the integrity of the data to ensure that it hasn’t been compromised. If your patient data is stored in the cloud, check with your service provider to determine if they have their own backup restoration options.
One of the most effective safeguards is also the simplest in all major operating systems like Windows and anti-virus add-on programs regularly supply security updates. Many practices forget to apply the updates. Be sure your security and antivirus software are up to date. If they are, even if you click on a piece of ransomware, the program is not going to open without permission.
When we all kept patient records on charts in file cabinets, we locked the cabinets and didn’t leave the doors open. Consider these procedures the new locking of your doors.
Mark Sanna, DC, ACRB Level II, FICC, is a member of the Chiropractic Summit and a board member of the Foundation for Chiropractic Progress. He is the president and CEO of Breakthrough Coaching and can be contacted at mybreakthrough.com or 800-723-8423.