40% OFF Sale through January 23: COVID Clinical Best Practices. Use "CLINICAL40" coupon code in your shopping cart.

All Records Erased, Practice Closes Down after Healthcare Ransomware Attack

healthcare ransomwareIn the aftermath of a devastating healthcare ransomware attack, a practice based out of Battle Creek, Missouri has been forced to close its doors. This is just another example of the growing threat of ransomware attacks against small individual or group practices in the United States.
Brookside ENT & Hearing Services has been forced to permanently close after a ransomware incident resulted in the loss of all of its electronic health records. This marks the first time in the history of reported healthcare ransomware attacks that a practice closed in the wake of such an attack.
With this example in mind, the average practitioner is likely to ask themselves how better understand and protect themselves against ransomware attacks.

Understanding Healthcare Ransomware

Ransomware is a type of malware that infects a user’s computer or network. Once the system has been infected, the malicious software will encrypt all of the data being maintained on the system. Then, the hackers responsible will demand a ransom in exchange for restoring access to that data.
Sometimes, the ransomware will present healthcare providers with a countdown: pay the ransom within the allotted timeframe, or face permanently losing access to this protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, email, telephone number, Social Security number, medical records, and insurance ID numbers, to name a few. Electronic PHI (ePHI) is any health care data that can be used to identify a patient that is stored in electronic format, such as the records stored or maintained on electronic health records systems (EHRs).

Preventing Ransomware Attacks

In the case of Brookside ENT & Hearing Services, all of the practice’s medical records, billing information, and appointment logs were permanently lost. That includes the on-site backups maintained by the practice. Those on-site backups were an attempt to protect the records in question, but on-0site backups are often as vulnerable to attacks as their original files. The best type of backup to defend against a ransomware attack is an “off-site” backup, which means that backup records are stored in a separate geographic location from the original files.
Offsite data back-up allows users to create a full copy of their data stored separately on other premises. This is particularly important in the event of a natural disaster or ransomware incident. Brookside carried our back-up procedures but stored these back-ups onsite. When the ransomware incident struck, the back-up files were lost in the attack as well. Even though Brookside took steps to prevent this ransomware incident then, these preventative measures clearly fell short of the protections needed, or the HIPAA regulations that set specific standards for data security in healthcare to avoid data breaches.
Furthermore, “full-disc encryption” is recommended for computers that store ePHI, which is a type of HIPAA encryption that encrypts a user’s entire computer system, rather than just individual files, making it next to impossible for hackers to access that data.
The combination of both off-site backs and full-disk encryption is currently the most comprehensive way to protect ePHI in an effective HIPAA compliance program. Preventing data loss and defending against ransomware incidents should be the top priority for health care providers across the country, regardless of their specialty.

HIPAA Resources

If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure. Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!

HIPAA Webinars:

Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?


Social Media and HIPAA Compliance
Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!


Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.