Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
The increasing prevalence of organizations’ data being held hostage until ransom is paid should cause physicians and all holders of PHI to have a “Plan B.”
“A hospital in Los Angeles has been operating without access to email or electronic health records for more than a week, after hackers took over its computer systems and demanded millions of dollars in ransom to return it," according to an article in The Atlantic.
In February 2016, hackers broke into Hollywood Presbyterian Medical Center’s servers, froze access to the medical records, and demanded several million dollars in order to restore access to the data. Ultimately, the hospital paid nearly $17,000 in bitcoin to get the data back. Usually, the amount demanded is small between $300 and $3,000, however, when organizations realize that they a lot of protected health information (PHI, the stakes may be higher, as the Hollywood Presbyterian Medical Center’s experience demonstrates.
This scenario is not a hypothetical. It is a frightening reality and should give all providers a “wake-up” call as to what they would do in the event of attack. How is this type of attack executed in the first place? Basically, there are two ways: (1) an external hacker infiltrates the system and encrypts the data, making it impossible for others to read it because they do not have the other “key”; and (2) malware or a virus could be clicked on via an infected link, which is usually present in an email and the virus spread onto the healthcare provider’s network. Now that the potential sources of the attack have been identified, two other crucial questions need to be addressed. First, how can future attacks be prevented and, second, what should be included in policies and procedures to make sure that the quality of patient care and communication is not affected?
The best line of defense against this type of attack includes security training on a regular basis and making sure you are complying with the HIPAA and the HITECH Acts in relation to the technical, administrative, and physical requirements of the privacy, security and breach notification rules. These requirements are in relation protecting the confidentiality, integrity and availability of the data, and making sure security software patches are installed regularly and when they are available. The crucial nexus between preventing and reacting to a ransomware attack is adequate policies and procedures.
Physicians need to work with IT providers to make sure that adequate “Plan B” options are in place. Here are some crucial areas that should be addressed:
1. Do the policies and procedures adequately address this type of event in the Disaster Recovery Plan?
2. Where is the data backed up and is it connected to the same IT infrastructure?
3. Is a paper hard copy of basic patient information kept separately and securely?
4. What is the emergency plan if records cannot be accessed (e.g., are intake forms available; is a separate, secure fax line available; are paper record templates ready to go, and what is the patient coordination plan)?
5. Is the secure text message system separate from the medical database and still not compromised?
This processes is not something that can be implemented overnight - it takes pre-planning. In the event that this happens, the first step should be to call law enforcement and report the incident. Second, policies and procedures should be in place to ensure the continuity of patient care. Finally, if hand written notes and faxes need to be used, then a company needs to be hired to scan the items into the EHR after the system has been restored. Being proactive can save a lot of time and money, while keeping the focus on the patient.