“Ransomware” — a virus that holds systems hostage until victims pay for a key to regain access has been deployed at least three times against hospitals already this year. Ransomware is nothing new, however ransomware targeting healthcare is.
Specifically how it works is a hacker or group of hackers will gain access to critical data, encrypt it and lock you out of your computer and or system. They will usually give you around twenty-four hours to pay the “ransom” and if you don’t they will delete and or expose your data. Recently MedStar a hospital in Maryland was targeted by this type of attack. This forced them to shut down its email and vast records database. The FBI is still investigating this attack, which occurred only a few weeks after three other known ransomware type attacks took place on medical practices in both California and Kentucky. These attacks are raising additional concerns about the security of hospitals and medical practices nationwide.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Hollywood Presbyterian Medical Center CEO Allen Stefanek said in letter posted to the hospital’s website late Wednesday following a ransomware attack. “In the best interest of restoring normal operations, we did this.” This is not what most people will want to hear considering the attackers could be asking for substantial amounts of money. Paying the hackers also encourages them to continue their attacks along with inspiring new hackers. It is apparent that ransomware will continue to target healthcare practices and hospitals. That we cant stop, however there are steps you can take to protect your practice.
Hospitals and healthcare practices cant afford to overlook these key components in protecting themselves from being the next target. Below is a video we created by ehr20.com to help medical practice’s get a better understand of how ransomware works, and how to prevent it. If your practice is targeted by ransomware and you choose not to pay a breach of unsecured protected health information is sure to come. If this is the case the covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate according to The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 .
To learn more how EHR 2.0 can help your practice to comply and protect patient data, visit us at https://ehr20.com/services/hipaa-hitech-compliance-assurance/
Latest posts by EHR 2.0 (see all)
- HIPAA Complaint Process Infographic Released by HHS - July 15, 2019
- New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA - June 5, 2019
- California Consumer Privacy Act of 2018 – Bill Text - April 4, 2019