Page 15 - Layout 1
P. 15

MEDICAL
                                                                        TECHNOLOGY

of currency, to obtain the decryption key and regain access to          emails with executable file attachments, patch or update their soft-
records. When smaller shops are the target, the perpetrators adjust     ware regularly, and enable automatic software updates.
their ransom demands accordingly.
                                                                          "It's really having that backup and then good patch management,
  As Mr. Southrey explains, "Usually the ransom is reasonable be-       making sure that you do all your updates. You don't use end-of-life
cause they know if it's too expensive, the practice is not going to     systems like Windows XP or a Windows Server 2003 because it's
pay it.                                                                 not supported anymore by Microsoft," Mr. Southrey said.

  "In general, when we do our risk assessments for medical prac-          TMA Practice Consulting offers HIPAA compliance assessments
tices, we find privacy and security vulnerabilities, and they're not    that evaluate the strength of a practice's cyber security. Abilene fam-
even aware of these vulnerabilities," he said. "They're a target be-    ily physician D. Allen Schultz, MD, a member of the Ad Hoc Com-
cause cyber criminals know that they don't have those resources like    mittee on HIT, calls ransomware "a likely threat of severe intensity."
some organizations do. … They're kind of a training ground, or as
some commentators have stated, 'low-hanging fruit' for cyber crim-        "You really assess threats two ways: Is it likely, and how severe
inals to be able to get into their systems. And it's a quick buck for   would it be if it occurred?" he said. "I think that it is likely and that
these cyber criminals if their ransom demand is reasonable, such as     the damage would be severe. I'm very concerned about that and in-
$500 or $600."                                                          terested in making sure that we've got good firewalls and try not to
                                                                        use any of my office computers for surfing the Web or downloading
  Part of the problem stems from small-practice physicians either       email or anything like that."
not being aware of the pervasiveness of cyber threats or believing
their operation isn't large enough to interest hackers. Patrick Casey,    Dr. Murray says, along with a backup of EHR data, the most ef-
then-meaningful use and quality assurance specialist for the North      fective, foolproof protection against a ransomware attack is the abil-
Texas Regional Extension Center (NTREC), said in May there had-         ity to quickly restore the EHR and its data.
n't been any inquiries from physician practices about protecting
themselves from ransomware. NTREC, scheduled to close in June,            "If the practice can do that, they will not have to pay a ransom,
assisted small practices in transitioning to EHRs and also performed    and the impact on patient care can be minimized if the backup
security risk assessments.                                              and restore tools and processes are effective," he said. But he says
                                                                        no system is completely cyber attack-proof, and physicians must
  Mr. Casey says many physicians have "an overconfidence … in           have a business continuity plan for technology downtimes or dis-
technical solutions. They usually believe a certified EHR system        asters. The primary focus of a preventive strategy, he says, should
completely takes care of security for them," he said, adding that       be to ensure a degree of clinical continuity when the EHR system
most small practices "don't think they're interesting enough to be      goes down.
attacked in any sense."
                                                                          "Physician practices should understand the tools and processes
  "There is very little awareness of the issue and there's very sub-    that are in place to back up and restore the [EHR] in the event of
stantial overconfidence that somebody else, like their EHR vendor       a disaster and to make sure they get tested. I emphasize again, to
or IT contractor, is taking care of this for them. It doesn't surprise  make sure they get tested," Dr. Murray said. "The first time a physi-
me that they're usually not worried about it. The only time they're     cian discovers that it will take a week to restore their [EHR] should
worried about it is when they get hit or when they get audited [for     not be after a real disaster strikes. Instead, the practice and their
meaningful use or HIPAA compliance]. And so far, nobody who's           vendor should periodically undertake a disaster drill to test the
gotten hit has given us a call."                                        backup and restore tools and processes."

Protecting Yourself                                                                          Just Pay Up?
  Common vulnerabilities TMLT has identified include out-of-                                         After an attack does happen, giving in to
                                                                                                    the criminals and paying the ransom to re-
date data security, careless use of passwords, and outdated com-                                     store access is hardly an ideal solution.
puter systems.                                                                                       However, some hacked hospitals, includ-
                                                                                                    ing Hollywood Presbyterian, have done so.
  Prevention of a ransomware attack starts with strong data security                                 "The quickest and most efficient way to
training for staff, IT security, and making sure backup data exists.
Malware often infects a practice's computer system when someone                                restore our systems and administrative func-
in the office unknowingly opens an infected email attachment or         tions was to pay the ransom and obtain the decryption key," Holly-
clicks on an infected link.                                             wood Presbyterian then-Chief Executive Officer Allen Stefanek
                                                                        told the Los Angeles Times. "In the best interest of restoring nor-
  TMA recommends physicians back up their computer systems              mal operations, we did this."
regularly to an external drive or a backup service, such as a cloud
service provider. Physicians should equip computers with reputable        Mr. Southrey and others point out there is also a risk in paying the
anti-malware software and a firewall to help detect threats. TMA        ransom. Although they'll get their data back in most cases, Mr.
also recommends practices set up their email accounts to deny           Southrey says, there's no guarantee they will. Also, hackers could

                                                                                                                                           continued on page 16

                                                                                                                             visit us at www.bcms.org 15
   10   11   12   13   14   15   16   17   18   19   20