top menu questionnaire

Healthcare Facility under Cyber Attack and How to Avoid being Held to Ransom

Ransom? In the Healthcare Facility? No way!

Yes way— read on and discover what you need to know to avoid this internet—computer software blunder.

First let’s talk about a big “win” for patients: The new HIPAA Omnibus Rules aggressively protect patient records.

These rules apply to the Healthcare Facility setting. All Healthcare Facilities must comply!

The laws make mandatory, the protection of virtual electronic files (PHI- Protected Health Information of patients) not only during business hours but also, in the case of a natural disaster, patients’ records are safe.

healthcare facility under cyber attackOne of the largest threats posed to any business are online hackers. In fact, according to a NY Times article from 2013 that discusses one report by Verizon on data breaches, “no matter the size of the organization — large, small, government agencies, banks, restaurants, retailers — people are stealing data from a range of different organizations and it’s a problem everyone has to deal with.” Thus, no one – not even “a one-computer dental office” – is immune to hackers.

The prospect of a data breach is a scary one; not only can it cripple current business, but it can also discourage potential future business from new customers due to inherent distrust regarding the protection you offer for their information.

One of the best deterrents against hackers is making sure to implement a comprehensive training program for your employees. This way, each employee will know what to do in case of a hacking attack, plus the Healthcare Facility should have a resource to call in case of such an emergency.

An Expert HIPPA Coaching Team can help your Healthcare Facility put such measures in place by using products like HIPPA Made Easy, which offer all the training tools, support checklists and guided HIPAA expert advice needed to make sure that your Healthcare Facility is in compliance with the new HIPPA Omnibus Rules, including protocols for digital privacy and breaches. However, only the knowledge of how to manage a data breach is not sufficient.
To truly understand its effects, look at a recent example of how one Healthcare Facility was hacked twice in one week.

Hackers targeted the office of Dr. Lloyd Walling in Burnsville, Minnesota twice in one week.

The hackers blocked the doctor’s access to his patient database, including their files, personal information, and insurance information. They then demanded $1,000 in ransom money, but later followed up by asking for $600 more. This may seem like a small amount of money, but it pales in comparison to the $70,000 that the doctor paid for the electronic system that he implemented due to state mandates so he could be in compliance with the law. This is concrete evidence that what the NY Times article stated about hacking is true: no one is safe from hackers no matter how much they pay to protect their patient’s information. It does not matter how expensive of an electronic system you possess or what kind of protection from intrusions you have implemented; your Healthcare Facility can still be hacked. Naturally, the strain put on a Healthcare Facility if this happens is enormous and unbearable.

In Dr. Walling’s case, the whole system was shut down. He had no access to the daily schedules and could not even take X-rays, according to what he told a local news station. Even more frightening than the virtual shutdown that was imposed on his practice was the fact that the hackers broke through two protection systems to achieve access to the patient’s database. According to the hardware provider for this Healthcare Facility, 20 out of 60 Healthcare Facility clients had fallen victim to ransomware attacks in the last year. For those who are not familiar with this term, “ransomware” occurs when hackers freeze the patient database and initiate ransom demands. Ransomware is spread a couple of ways.

Ransomware is usually spread through what is known as phishing emails. The emails contain attachments or links that, when clicked on or opened, install the ransomware or malware onto the computer without the person ever knowing. Normal anti-virus protection programs are not thoroughly equipped to protect computers from these kinds of attacks. In Dr. Walling’s case, the malware or crypto-ransomware as it is officially known makes sensitive data inaccessible to anyone but the hacker who installed it. If you are ever a victim of this kind of attack, a message will appear on the screen stating that the computer has been locked down or encrypted, and that a ransom must be paid to restore access.

The Homeland Security website lists examples of these pop-up messages; for example, “Your computer has been infected with a virus. Click here to resolve the issue,” or “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100- $1000 fine.” The department of Homeland Security recommends that victims should not pay the ransom because there is no guarantee that they will recover their system. In Dr.Walling’s case, however, he paid the ransom and regained control over his system, but this may be an exception.

The bottom-line here is that all Healthcare Facilities should have a system in place to deal with such an attack. Because an attack can occur without prior warning, it is critical for all employees to be knowledgeable of what to do if it happens. Plus having a resource— a HIPAA Expert, available 24/ 7 to support your team through difficult times is essential. Having an ally on your side (like ‘HIPAA made Easy’) that can provide complete training and timely advise, will provide answers and peace-of-mind, in times of distress.

Despite all of the protective layers one can create to guard against such an attack, hackers always seem to be one step ahead of the security technologies. The last thing that any Healthcare Facility needs is to be attacked and be unable to do business – this costs the office the trust of its customers as well as money for the practice, two assets that are very difficult to recover. Do not let a ransomware attack hold your Healthcare Facility back. Just like you would ask your patients to have a plan to keep themselves healthy and strong to guard against disease, you too must have a plan to keep your Healthcare Facility up and running should a virtual disease affect it.

For free advice and a full list of ‘HIPAA made Easy’ training packages visit:

, ,

No comments yet.

Leave a Reply