Page 16 - Layout 1
P. 16
MEDICAL
TECHNOLOGY
continued from page 15
breach the data themselves in addition to curity risk-mitigation avenue.
locking the practitioner out of it. He says if In 2011, the Texas Legislature passed House Bill 300 by then-
the hackers do breach the data, the practice
may never receive confirmation they deleted Rep. Lois Kolkhorst (R-Brenham). The legislation mandated the
it once they handed over the encryption key. creation of a state compliance certification program. As a result of
A hacker who still has access to the data the bill, the Texas Health Services Authority contracted with the
could use it for other criminal purposes. Health Information Trust Alliance to develop SECURETexas. Ac-
cording to HB 300, certification would be a mitigating factor if a
Kansas Heart Hospital in Wichita learned physician violates the Texas Medical Records Privacy Act, potentially
the hard way hackers aren't always true to leading to reduced civil or administrative penalties in the event of a
their word. The hospital sustained an attack data breach.
on its files and paid an undisclosed ransom. But the hackers didn't
give the hospital full access to its files, instead demanding a second Family medicine physician James Stefan Walker, MD, a member
payment. Kansas Heart said it refused to pay the second time, with of the Ad Hoc Committee on HIT, beta-tested a small-practice ver-
hospital President Gregory Duick, MD, saying the institution de- sion of the program using his practice, Corpus Christi Medical As-
cided paying the ransom was "no longer … a wise maneuver or sociates, and reported back to the committee.
strategy," according to a news report. Dr. Duick said the hospital
had a plan in place for such an attack and put it into action, and that Through those reports, Dr. Murray said, "We see that there is a
"patient information was never jeopardized" as a result of the hack. lot of value that can be gained by the practice as they have to go
through the certification process. But we also see that more work is
An FBI agent made news in security circles when he reportedly needed to further simplify the process. Our goal is to have a certifi-
told an audience at a Boston cyber security conference some mal- cation program that uses a security risk analysis process and provides
ware is so uncrackable that "to be honest, we often advise people a risk management plan that is designed specifically for a physician
just to pay the ransom." Joseph Bonavolonta, assistant special agent practice, is cost-effective, is feasible to achieve without straining
in charge of the FBI's CYBER and Counterintelligence program in physician and staff time, and is able to provide value by reducing
its Boston office, told the conference, according to news website and managing technology risks, including ransomware attacks."
The Security Ledger, "The ransomware is that good." Mr.
Bonavolonta said while victims of ransomware should contact the In many organizations, large and small, Mr. Casey says, "The at-
FBI, the bureau had been unable to crack the encryptions of some titude is, 'What do I need to do to comply with the law?' not 'What
types of malware, adding "the easiest thing to do may be to just pay do I need to do to protect my patients' data and my patients?' They
the ransom." don't yet have that thought."
But in a blog post on the ransomware threat, the FBI said it does- "Honestly, I don't want doctors having to become experts in HIT
n't recommend doing so. security. They've got enough on their plate to be doctors," he said.
"We have to find a way to continue to and even increase the support
"Paying a ransom doesn't guarantee an organization that it will that we make available to the health care community."
get its data back. We've seen cases where organizations never got a
decryption key after having paid the ransom," James Trainor, assis- Large hospital systems, he adds, "can probably afford a chief
tant director of the FBI's Cyber Division, wrote in the blog post. information security officer who does nothing but … worry about
"Paying a ransom not only emboldens current cyber criminals to security and get monitoring software and all that kind of jazz.
target more organizations, it also offers an incentive for other crim- Those resources can be made available to every small practice as-
inals to get involved in this type of illegal activity. And finally, by sociated with that hospital; otherwise, security expertise and sup-
paying a ransom, an organization might inadvertently be funding port are not available to the independent practices in the
other illicit activity associated with criminals." ambulatory community."
The FBI recommends organizations focus on prevention — Joey Berlin can be reached by phone at (800) 880-1300, ext. 1393.
having both employee awareness and technical controls in place
— and creating a solid business continuity plan to act on if an at-
tack does happen.
Increasing Support
TMA plans to raise awareness of the threat of ransomware and
help physicians manage all security and technology risks. The Ad
Hoc Committee on HIT is keeping its eye on the development of
the SECURETexas certification program, one potential cyber se-
16 San Antonio Medicine • November 2017