Imagine arriving at your office bright and early one Monday morning only to learn you are unable to access your practice's electronic health record (EHR) system. Your system has been hacked, locking you out of all your data, including patient charts, radiographs, billing, and claims. To make matters worse, you receive a notice that you must pay thousands of dollars to retrieve this information.
Unfortunately, ransomware scenarios such as these are happening with increasing frequency to hospitals and medical providers. For advice on what to do when a ransomware attack occurs, I spoke with Michael J. Sacopulos, JD, chief executive officer of Medical Risk Institute.
Dr. Marks: What options do medical practices have for restoring their data after a ransomware attack?
Mr. Sacopulos: Medical practices that have been victimized by a ransomware attack unfortunately have few options. Those that perform frequent back-ups of their data may be able to restore their systems with minimal data loss. However, many practices do not have the option of restoring their data from a current back-up.
Medical practices are legally obligated to maintain and safeguard their patients' information. Although a practice could theoretically reset its system's setting to default and lose all data, this is not practical or legal. Paying the ransomware demand is a medical practice's only option for meeting its legal obligation to protect the safety of its patients' data.
Dr. Marks: How much can a medical practice expect to pay to recover its data?
Mr. Sacopulos: Ransomware demands usually range from $10,000 to $20,000. Payment is demanded in bitcoin and, for all practical purposes, is untraceable through the Internet. However, the costs associated with ransomware attacks are not restricted simply to the extortion payment. Typically after payment data have become corrupted. Practices will need to hire information technology (IT) experts to fully restore their data, which can take time and involve a significant amount of money.
Dr. Marks: Are there laws that protect against ransomware attacks?
Mr. Sacopulos: The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, created to fund and support a paperless national health information network through the adoption of EHRs, does not address ransomware attacks. As a result, it is unclear whether a ransomware attack technically constitutes a breach of patient data. This is significant because if patient data are breached, notice must be given to the patients involved.
"HITECH Act Law has cyber security requirements that require notifications for data breaches, but the law says nothing about notification for data that are frozen or held hostage where they are stored," according to Rep. Ted Lieu (D-Calif.). He believes that the healthcare industry needs "some combination of regulation and forcible guidance to protect the public." Jessica L. Rich, director of the Federal Trade Commission's Bureau of Consumer Protection, agrees. During recent testimony, she called for "federal data security and breach legislation that would allow us [FTC] to seek civil penalties to deter unlawful conduct and give us jurisdiction over nonprofit entities." As ransomware attacks against healthcare entities increase, I anticipate the federal government will enact such legislation.
Dr. Marks: In the meantime, what can medical practices do to protect themselves from ransomware attacks?
Mr. Sacopulos: I recommend medical practices take the following steps to mitigate their risks:
- Perform routine risk analyses, a requirement under federal law. Properly performed risk analyses can assist a practice in detecting vulnerabilities.
- Train staff on cyber hygiene issues. More than 80 percent of attacks are made possible by human error or involvement. Staff need to be taught basic cyber hygiene with respect to passwords, phishing, thumb drive use, use of open access of wireless systems and other matters.
- Use a strong firewall. Intelligent firewalls stop malware from downloading onto systems.
- Install antivirus/antimalware on desktop computers.
- Have an IT expert perform a penetration test on the computer system. This will help detect vulnerabilities.
- Install intrusion detection software. This will enable IT personnel to monitor illegal activities on a practice's computers and network.
- Do not let encryption lead to over-confidence. Encryption will do nothing to stop a hacker if he or she has access to the practice's computer system.
- Back up systems frequently. Frequent back-ups allow for data restoration in the event of a ransomware attack. It is also important to test that the back-up and restoration process really works should you need it.
Dr. Marks: What about cyber insurance?
Mr. Sacopulos: No matter how diligent a practice is, the risk of successful ransomware attacks still exists. Because these attacks can be expensive and disruptive and because most medical practices possess large amounts of data, I recommend they purchase comprehensive cyber liability insurance. Some experts estimate that approximately 70 percent of all cyber insurance policies do not cover ransomware attacks. Medical practices need to ensure that their cyber insurance policy provides ransomware protection.
In the event of a ransomware attack, experienced IT professionals can help medical practices recover their data. Medical practices should make sure that, in addition to providing financial protection, their cyber insurance carrier has specialty vendors that can assist them after an attack.
Dr. Marks: Do you have any final thoughts?
Mr. Sacopulos: Ransomware attacks against healthcare providers are on the rise. Although nothing will guarantee immunity from cybercriminals, there are things medical practices can do to mitigate their risks. Taking these actions will enable them to stay ahead of most cybercriminals and block the vast majority of ransomware attacks.
Michael R. Marks, MD, MBA, is a member of the AAOS Medical Liability Committee, AAOS Patient Safety Committee, and mentor for the AAOS Communications Skills Mentoring Program. He is employed by Marks Healthcare Consulting. He can be reached at email@example.com
Medical Risk Institute provides proactive counsel to the healthcare community to help providers understand where liability risks originate and how to reduce or remove these risks. Michael J. Sacopulos, JD, can be reached at firstname.lastname@example.org
Editor's note: Articles labeled Orthopaedic Risk Manager (ORM) are presented by the Medical Liability Committee under the direction of John P. Lyden, MD, and Michael R. Marks, MD, MBA, ORM co-editors. Articles are provided for general information and are not legal advice; for legal advice, consult a qualified professional. Email your comments to email@example.com or contact this issue's contributors directly.