3 Controls to Prepare Your Practice for a Ransomware Attack

Using EHRs in physician practices can mean greater efficiency, cost-effectiveness, and better service for patients. But, as with life, you must take the good with the bad. The bad here, says Jim Kelton, Managing Principal, Costa Mesa, Calif-based Altius IT, is the risk that your practice could be the victim of a ransomware attack, such as the WannaCry virus that has affected 300,000 victims in 150 countries, according to CNBC.

Ransomware viruses work by locking down computer files and demanding payment for the release of those files. Lee Kim, director of privacy and security for the Health Information Management and Systems Society (HIMSS), says small- and medium-sized physician practices can't afford to ignore WannaCry or other ransomware viruses - if for no other reason than their vital role as the primary coordinators of patient care or critical specialist services.

The first step is knowing your security risks, says Kelton. Once you've determined those risks, you need to assign someone to address them. The practice needs a security officer, which is required by HIPAA, he adds. This person identifies the types of controls that can be implemented against security risks.

There are three types of controls a practice needs to have in place, says Kelton. These include:

Preventative controls. Effective passwords and screensavers on computers can help, as can ensuring that all systems are updated with patches from software vendors. Also important is coaching staff members to not divulge passwords to a potential hacker who calls the office, adds Kelton.

And here's a scenario that your practice might not have considered: A hacker enters your practice and plugs a thumb drive into one of your computers, thus, possibly infecting your entire network, says Kelton. The practice needs to be aware that this could happen and it should have an action plan in place, he advises.

While annual security training is helpful, it's not enough, he adds. Staff members need reminders about the importance of security throughout the year in internal newsletters, on posters in the breakroom, or in e-mail reminders to staff members.

Detective controls. If your practice has been hit by a ransomware attack, you need to determine immediately if the attack has been isolated to a single computer. If that's the case, you can remove that workstation from the network so the virus doesn't spread to other computers, advises Kelton.

Corrective controls. If you were unable to prevent an attack, the primary concern is getting systems up and running again, says Kelton. He recommends that physician practices create an archiving system that retains files from the previous day, but also as far back as three weeks or even to the beginning of the year - that's because the system might have been compromised that long ago, but you didn't even realize it.

Security awareness in the healthcare ecosystem is key. “The healthcare industry is only as secure as its weakest link,” writes Kim in a recent blog post that summarizes the findings of the Health Care Industry Cybersecurity Taskforce, which released its report to the U.S. Congress this month.

That's because, as the healthcare industry strives to increase interoperability, “cybersecurity remains top of mind….if there are 'weak leaks' in the 'connected' healthcare ecosystem, these constituents pose a risk not only to themselves, but also to others that connect to them,” she adds.