Page 15 - Layout 1

P. 15

MEDICAL
TECHNOLOGY

of currency, to obtain the decryption key and regain access to emails with executable file attachments, patch or update their soft-
records. When smaller shops are the target, the perpetrators adjust ware regularly, and enable automatic software updates.
their ransom demands accordingly.
"It's really having that backup and then good patch management,
As Mr. Southrey explains, "Usually the ransom is reasonable be- making sure that you do all your updates. You don't use end-of-life
cause they know if it's too expensive, the practice is not going to systems like Windows XP or a Windows Server 2003 because it's
pay it. not supported anymore by Microsoft," Mr. Southrey said.

"In general, when we do our risk assessments for medical prac- TMA Practice Consulting offers HIPAA compliance assessments
tices, we find privacy and security vulnerabilities, and they're not that evaluate the strength of a practice's cyber security. Abilene fam-
even aware of these vulnerabilities," he said. "They're a target be- ily physician D. Allen Schultz, MD, a member of the Ad Hoc Com-
cause cyber criminals know that they don't have those resources like mittee on HIT, calls ransomware "a likely threat of severe intensity."
some organizations do. … They're kind of a training ground, or as
some commentators have stated, 'low-hanging fruit' for cyber crim- "You really assess threats two ways: Is it likely, and how severe
inals to be able to get into their systems. And it's a quick buck for would it be if it occurred?" he said. "I think that it is likely and that
these cyber criminals if their ransom demand is reasonable, such as the damage would be severe. I'm very concerned about that and in-
$500 or $600." terested in making sure that we've got good firewalls and try not to
use any of my office computers for surfing the Web or downloading
Part of the problem stems from small-practice physicians either email or anything like that."
not being aware of the pervasiveness of cyber threats or believing
their operation isn't large enough to interest hackers. Patrick Casey, Dr. Murray says, along with a backup of EHR data, the most ef-
then-meaningful use and quality assurance specialist for the North fective, foolproof protection against a ransomware attack is the abil-
Texas Regional Extension Center (NTREC), said in May there had- ity to quickly restore the EHR and its data.
n't been any inquiries from physician practices about protecting
themselves from ransomware. NTREC, scheduled to close in June, "If the practice can do that, they will not have to pay a ransom,
assisted small practices in transitioning to EHRs and also performed and the impact on patient care can be minimized if the backup
security risk assessments. and restore tools and processes are effective," he said. But he says
no system is completely cyber attack-proof, and physicians must
Mr. Casey says many physicians have "an overconfidence … in have a business continuity plan for technology downtimes or dis-
technical solutions. They usually believe a certified EHR system asters. The primary focus of a preventive strategy, he says, should
completely takes care of security for them," he said, adding that be to ensure a degree of clinical continuity when the EHR system
most small practices "don't think they're interesting enough to be goes down.
attacked in any sense."
"Physician practices should understand the tools and processes
"There is very little awareness of the issue and there's very sub- that are in place to back up and restore the [EHR] in the event of
stantial overconfidence that somebody else, like their EHR vendor a disaster and to make sure they get tested. I emphasize again, to
or IT contractor, is taking care of this for them. It doesn't surprise make sure they get tested," Dr. Murray said. "The first time a physi-
me that they're usually not worried about it. The only time they're cian discovers that it will take a week to restore their [EHR] should
worried about it is when they get hit or when they get audited [for not be after a real disaster strikes. Instead, the practice and their
meaningful use or HIPAA compliance]. And so far, nobody who's vendor should periodically undertake a disaster drill to test the
gotten hit has given us a call." backup and restore tools and processes."

Protecting Yourself Just Pay Up?
Common vulnerabilities TMLT has identified include out-of- After an attack does happen, giving in to
the criminals and paying the ransom to re-
date data security, careless use of passwords, and outdated com- store access is hardly an ideal solution.
puter systems. However, some hacked hospitals, includ-
ing Hollywood Presbyterian, have done so.
Prevention of a ransomware attack starts with strong data security "The quickest and most efficient way to
training for staff, IT security, and making sure backup data exists.
Malware often infects a practice's computer system when someone restore our systems and administrative func-
in the office unknowingly opens an infected email attachment or tions was to pay the ransom and obtain the decryption key," Holly-
clicks on an infected link. wood Presbyterian then-Chief Executive Officer Allen Stefanek
told the Los Angeles Times. "In the best interest of restoring nor-
TMA recommends physicians back up their computer systems mal operations, we did this."
regularly to an external drive or a backup service, such as a cloud
service provider. Physicians should equip computers with reputable Mr. Southrey and others point out there is also a risk in paying the
anti-malware software and a firewall to help detect threats. TMA ransom. Although they'll get their data back in most cases, Mr.
also recommends practices set up their email accounts to deny Southrey says, there's no guarantee they will. Also, hackers could

continued on page 16

visit us at www.bcms.org 15

10 11 12 13 14 15 16 17 18 19 20