Ransomware and Your Rheumatology Practice

Rheumatology Practice Management October 2018 Vol 6 No 5 - Best Practices
Reuben A. Allen III, MBA


The National Organization of Rheumatology Managers recently visited Tampa, FL. Not only does this city have the Tampa Bay Buccaneers National Football League team, they also celebrate Tampa’s most famous pirate, José Gaspar, at the Gasparilla Festival. The parade to honor José Gaspar features pirates sailing into Tampa Bay and coming ashore to demand the keys to the city from the mayor.

Why am I talking about pirates in an article about the business of medicine? Because there are new pirates trying to take the keys to your practice. These pirates do not dress the part or sail the seas looking for their next target to plunder; they hide on the internet taking control of your practice data until you pay their bounty. They will never be seen, but will wreak havoc on your practice and your ability to care for your patients. The José Gaspars of today are Internet pirates infecting your computer systems with ransomware.

Ransomware is a type of malware that attempts to deny access to a user’s data, usually by encrypting the data with an encryption key until a ransom is paid.1,2 The ransom is usually requested in cryptocurrency such as bitcoin.1

Preventive Measures

We have all read about—and some of us have been affected by—ransomware attacks on our electronic health record (EHR) systems, laboratory service providers, medical devices, and practice servers. Your office needs to be prepared to fend off the pirates of the Internet. Some actions that your practice can take include:

  • Have a Strong Password Policy
    It is imperative to have a comprehensive policy to ensure that strong passwords are consistently used and changed. This applies not only to your practice systems but to any third-party systems that have access to your servers.
  • Educate Your Staff
    Proper education of your staff is the best defense against information security breaches. Most ransomware infiltrates systems through an e-mail link or a social media download.1 Your staff should receive information security training a minimum of once a year. Your information technology staff, vendor, or third-party vendors can send your employees malware simulations and then report back on the users who open the links, allowing for need- and user-specific training.
  • Back Up Your Files
    You need to have backup files of all systems. These backups need to be performed often (a minimum of once daily), and kept offsite. You must also verify the integrity of the backup files.
  • Perform Updates
    All computers, servers, and device software need to be kept up-to-date at all times, including all off-site computers that will have access to your systems. Have policies and controls in place to ensure that all systems are updated with the latest operating system and antivirus software.
  • Be Diligent
    The internet pirates are constantly updating their methods of attack. Their latest method is a “fileless” malware, which is more difficult to detect.1 Consistent review of all systems, policies, and training is imperative.
  • Communicate with Your Vendors
    Any device or system that has access to your server needs to be reviewed. Ask your vendor how electronic protected health information (PHI) is being stored and protected. Is there a firewall between your EHR and your other systems? What is your EHR vendor’s continuity plan in case of an attack? Your vendors may also have educational opportunities available for your staff.

Incident Response

It is impossible to completely protect yourself from an attack, but you can create response plans if your system becomes compromised. Here are a few ideas to consider when developing an incident response strategy for your practice:

  • Disaster Recovery Plan
    How will you get your systems back online and who is responsible for this task?
  • Business Continuity Plan
    Many practices have been unable to see patients after their systems have been compromised. How will you continue to practice while instituting your disaster recovery plan? How will your practice access appointment schedules and patient records in the event of a ransomware attack? There are software programs available that will work with many EHR systems to help perform an individualized risk assessment.3 Some programs will download your appointment list and patient rec­ords daily to a desktop computer appointment application.
    The burden of proof is on your practice regarding whether your electronic PHI has been compromised.2
  • Cyber Liability and Business Disruption Insurance
    Review with your insurance carrier what your current policies cover and whether you need additional insurance. You must know your responsibilities if your electronic PHI has been breached by ransomware. There are many resources available, but the ransomware fact sheet from the US Department of Health & Human Services website is a good starting point to determine your responsibilities.2

José Gaspar, Tampa’s most famous pirate, sailed the Gulf of Mexico attacking innocent ships, while the pirates of the Internet will try to get their bounty from your practice. Be ready to prevent these pirate attacks so you can continue to give your patients high-quality care without interruption. To borrow from a pirate’s vocabulary, give them no quarter, and show them no mercy or clemency!


  1. Federal Bureau of Investigation. Incidents of ransomware on the rise: protect yourself and your organization. April 29, 2016. Accessed September 7, 2018.
  2. US Department of Health & Human Services. Fact sheet: ransomware and HIPAA. July 11, 2016. Accessed September 7, 2018.
  3. The National Coordinator for Health Information Technology. Security risk assessment tool. September 20, 2017. Accessed September 7, 2018.
Related Items
Topical Treatment of Osteoarthritis
Shelly Kafka, MD, Wesley A. Kafka, PharmD candidate
Rheumatology Practice Management April 2015 Vol 3 No 2 published on May 15, 2015 in Best Practices
The Nurse Practitioner’s Role in the Practice
Peggy Barton, RN, BSBA
Oncology Practice Management - May 2015, Vol 5, No 4 published on May 14, 2015 in Best Practices
Need Imaging? Communication Is Essential
Karna W. Morrow, CPC, RCC, CCS-P, PCS
Oncology Practice Management - April 2015, Vol 5, No 3 published on April 17, 2015 in Best Practices
Both Sides of the Fence
Lillie D. Shockney, RN, BS, MAS, HON-ONN-CG
OPM - FAQ Library published on March 26, 2015 in Best Practices
Leverage That Listserv with Caution
Karna W. Morrow, CPC, RCC, CCS-P, PCS
Oncology Practice Management - December 2014, Vol 4, No 8 published on December 18, 2014 in Best Practices
Sunrise, Sunset: Swiftly Go the Years
Peggy Barton, RN, BSBA, Sue Mahoney-Stombaugh, CNP, Bahu Shaikh, MD, FACP
Oncology Practice Management - December 2014, Vol 4, No 8 published on December 15, 2014 in Best Practices
Ceasing All RA Medications Not Optimal in Patients Trying to Conceive
E. K. Charles
Rheumatology Practice Management August 2014 Vol 2 No 4 published on September 1, 2014 in Best Practices
Bone Mineral Density Should Be Checked in All Hypogonadal Men
Rosemary Frei, MSc
Rheumatology Practice Management June 2014 Vol 2 No 3 published on June 30, 2014 in Best Practices
Providing Social Support to Patients with Cancer
Oncology Practice Management - June 2014, Vol 4, No 4 published on June 24, 2014 in Best Practices
Bone Mineral Density Should Be Checked in All Hypogonadal Men
Rosemary Frei, MSc
Urology Practice Management - June 2014, Vol 3, No 3 published on June 19, 2014 in Best Practices
Last modified: November 2, 2018
  • American Health and Drug Benefits
  • Lynx CME
  • Value Based Care in Rheumatology
  • Oncology Practice Management
  • Urology Practice Management