The National Organization of Rheumatology Managers recently visited Tampa, FL. Not only does this city have the Tampa Bay Buccaneers National Football League team, they also celebrate Tampa’s most famous pirate, José Gaspar, at the Gasparilla Festival. The parade to honor José Gaspar features pirates sailing into Tampa Bay and coming ashore to demand the keys to the city from the mayor.
Why am I talking about pirates in an article about the business of medicine? Because there are new pirates trying to take the keys to your practice. These pirates do not dress the part or sail the seas looking for their next target to plunder; they hide on the internet taking control of your practice data until you pay their bounty. They will never be seen, but will wreak havoc on your practice and your ability to care for your patients. The José Gaspars of today are Internet pirates infecting your computer systems with ransomware.
Ransomware is a type of malware that attempts to deny access to a user’s data, usually by encrypting the data with an encryption key until a ransom is paid.1,2 The ransom is usually requested in cryptocurrency such as bitcoin.1
We have all read about—and some of us have been affected by—ransomware attacks on our electronic health record (EHR) systems, laboratory service providers, medical devices, and practice servers. Your office needs to be prepared to fend off the pirates of the Internet. Some actions that your practice can take include:
- Have a Strong Password Policy
It is imperative to have a comprehensive policy to ensure that strong passwords are consistently used and changed. This applies not only to your practice systems but to any third-party systems that have access to your servers.
- Educate Your Staff
Proper education of your staff is the best defense against information security breaches. Most ransomware infiltrates systems through an e-mail link or a social media download.1 Your staff should receive information security training a minimum of once a year. Your information technology staff, vendor, or third-party vendors can send your employees malware simulations and then report back on the users who open the links, allowing for need- and user-specific training.
- Back Up Your Files
You need to have backup files of all systems. These backups need to be performed often (a minimum of once daily), and kept offsite. You must also verify the integrity of the backup files.
- Perform Updates
All computers, servers, and device software need to be kept up-to-date at all times, including all off-site computers that will have access to your systems. Have policies and controls in place to ensure that all systems are updated with the latest operating system and antivirus software.
- Be Diligent
The internet pirates are constantly updating their methods of attack. Their latest method is a “fileless” malware, which is more difficult to detect.1 Consistent review of all systems, policies, and training is imperative.
- Communicate with Your Vendors
Any device or system that has access to your server needs to be reviewed. Ask your vendor how electronic protected health information (PHI) is being stored and protected. Is there a firewall between your EHR and your other systems? What is your EHR vendor’s continuity plan in case of an attack? Your vendors may also have educational opportunities available for your staff.
It is impossible to completely protect yourself from an attack, but you can create response plans if your system becomes compromised. Here are a few ideas to consider when developing an incident response strategy for your practice:
- Disaster Recovery Plan
How will you get your systems back online and who is responsible for this task?
- Business Continuity Plan
Many practices have been unable to see patients after their systems have been compromised. How will you continue to practice while instituting your disaster recovery plan? How will your practice access appointment schedules and patient records in the event of a ransomware attack? There are software programs available that will work with many EHR systems to help perform an individualized risk assessment.3 Some programs will download your appointment list and patient records daily to a desktop computer appointment application.
The burden of proof is on your practice regarding whether your electronic PHI has been compromised.2
- Cyber Liability and Business Disruption Insurance
Review with your insurance carrier what your current policies cover and whether you need additional insurance. You must know your responsibilities if your electronic PHI has been breached by ransomware. There are many resources available, but the ransomware fact sheet from the US Department of Health & Human Services website is a good starting point to determine your responsibilities.2
José Gaspar, Tampa’s most famous pirate, sailed the Gulf of Mexico attacking innocent ships, while the pirates of the Internet will try to get their bounty from your practice. Be ready to prevent these pirate attacks so you can continue to give your patients high-quality care without interruption. To borrow from a pirate’s vocabulary, give them no quarter, and show them no mercy or clemency!
- Federal Bureau of Investigation. Incidents of ransomware on the rise: protect yourself and your organization. April 29, 2016. www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise. Accessed September 7, 2018.
- US Department of Health & Human Services. Fact sheet: ransomware and HIPAA. July 11, 2016. www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Accessed September 7, 2018.
- The National Coordinator for Health Information Technology. Security risk assessment tool. September 20, 2017. www.healthit.gov/topic/privacy-security/security-risk-assessment-tool. Accessed September 7, 2018.