In a previous article, we went over the details of a ransomware attack on a Michigan doctor’s office. The attackers blocked access to all patient records and demanded a $6,500 payment in cryptocurrency. The doctors made the fateful decision NOT to pay the ransom because they were not given any assurances that they would get their records back if they paid.
This is always true with ransomware attacks. You have to trust the hackers to keep their word and return access to all your files, which is hard to do since you know you’re dealing with thieves. The two physicians who ran this hearing clinic in Michigan made the unfortunate decision not to pay and that set into motion a truly regretful series of events that resulted in the closure of the medical practice.
Could This Tragedy Have Been Prevented?
Of course, hindsight is 20/20 as they say. These doctors had no experience with cyber-attacks and no one to advise them. If they had taken the time to reach out to a local IT consulting firm, they would have at least had the opportunity to consider all their options. The first thing any IT firm would ask is: “Do you have recent back-up copies of all your records?”
If the answer is “NO!” then there’s no question about it: You must pay the ransom and pray that the hackers will keep their promise and restore all your data. Though there is a chance they won’t, there’s simply no other option. On the other hand, if you have daily backups of data on hand or stored in the cloud, then you can risk it.
Do These Mistakes Really Happen?
Looking back on this event, it’s easy to see all the mistakes these doctors made. And hopefully other medical professionals will learn something from this story. They said ‘no’ to the hackers and here’s what happened.
- All medical records were destroyed, including patient charts, test results, patient histories, surgical histories—everything!
- There were no data back-ups at all.
- Once this story hit the news and the patients learned about what happened, they were outraged.
Are You Able To Pay Multiple HIPAA Fines?
Under HIPAA guidelines, if a patient requests access to their medical records, the doctor has 30 days to respond. Failure to respond to a request is a HIPAA violation. The patient can now file a complaint to the Office for Civil Rights (OCR). Theoretically, every patient of the practice could file a complaint with HIPAA resulting in massive fines for the doctors. These fines could be even more severe because HIPAA does have the right to punish a medical practice for not maintaining viable regular data backups.
Are You Testing Your Backups?
If you run a medical practice, it’s your responsibility to have daily data backups done and whoever is responsible for making these backups must test them regularly to make sure they will work in times of emergency.
As we all know, sometimes you back up your files to a DVD, thumb drive or external hard drive, then when you try to reload the files, you get an error message. This can happen to anyone, even business owners and doctors. So it’s not just enough to make copies of data; these must be good copies that can be fully restored. Because in this day and time, you never know when a tornado will blow the roof off your building or thieves will break in and steal everything.
You must be prepared. That’s part of the responsibility of business owners these days, especially medical professionals. Though this story does have a pretty sad ending, hopefully we can all learn a good lesson from it.
What Happened To This Clinic?
This medical clinic had to close its doors and eventually, I’m sure they’ll file bankruptcy. But this will not give the former patients back their medical records. They may be able to piece together past surgeries and test results by going to their other doctors and asking for help. But think of the time and effort it will take to do this for say … 200 patients. It could easily turn into a nightmare.
Lastly, each one of these patients could file a personal injury lawsuit. It would be very easy to prove that these patients suffered damage because of the ransomware incident. The liability would of course be up to the courts to decide, but there’s a good chance that every patient would win their case and be awarded a sum of money to compensate them for their losses.
Can Insurance Help?
These days, many medical practices are opting to get a type of liability insurance that will cover an event like this. Though this insurance is expensive, it could cover the financial losses and prevent the doctors from being personally held responsible.
This is a complicated case, but one that does showcase the need for all business owners, especially if you’re in the medical industry, to maintain recent viable copies of your data base. Healthcare organizations have become a major target of cyber thieves because so many are simply not prepared—and hackers know this. They are searching for easy prey. So it’s up to you as the practice owner, to be ready.
Why Are Hackers Targeting Medical Practices?
A study conducted by Protenus Breach Barometer found that in the second quarter of 2018, from April to June, more than 3.15 million patient records were compromised across a total of 142 healthcare data breaches. The report reinforces the need for strong security measures in the healthcare system, concluding that healthcare organizations must maintain vigilance.
Cybersecurity experts can help educate you and your employees on the latest trends in malware and ransomware. It’s important for you and your team to understand how data breaches occur. Security awareness is key to keeping your data safe. And of course, you must have a strong business continuity plan in place. This goes for all companies these days.
What Can We Do?
When it comes to natural disaster or human error, there’s nothing more important than being able to respond quickly:
- Backup your data onsite and in the cloud so you’re able to recover and access files in a moment’s notice when needed.
- Create a disaster recovery plan so you and your team know exactly who does what in the event of a disaster.
- Monitor and test the backups on a regular basis to make sure they’re recoverable when you need them most.
- Plan for Internet and/or power failure with redundancy and power protection in place so you’re always able to keep your practice open.
Your entire network should be backed up multiple times per day, which includes your files, applications, programs, operating systems, settings, and more. Your employees need regular security awareness training. Though this may seem like a lot to deal with, the alternative could be that your medical practice may have to close its doors and your physicians could face multiple lawsuits, not to mention HIPAA fines.
Hire IT Professionals!
If all this seems overwhelming, then the best course of action is to hire a great managed IT services provider. They have the skills, resources, people and other tools to handle everything from security training to data backups. This will give you peace of mind and allow you to return to treating patients without the worry of a data breach looming over your head.
Each day, hackers find new ways to get past your best cyber security programs so they can steal your data base. Though it can seem like a constant war to maintain control, the alternative is not pretty. Data breaches can ruin your reputation and drive you out of business. You can’t let your guard down for even a moment these days.
To learn more about HIPAA liabilities, Contact Radius Executive IT Solutions in Stoneham, MA today.