Breaking Compliance News Blog

Is your EHR ready for ransomware?

Posted by Scott Gima on 2/28/18 7:02 AM

In January 2018, EHR vendor Allscripts was a target of a ransomware attack that took down several of its applications, including its EHR and patient management/scheduling systems. FierceHealthcare reported the following notice from Allscripts: “While we cannot guarantee that the hosted Professional suite and hosted Allscripts PM service will be fully restored to all clients on Monday, Jan. 22, we do currently expect to return meaningful service to the majority of clients over the next 12-24 hours."

For example, a medical group was unable to use Allscripts’ e-prescribing system after the ransomware attack. Others could not access their EHR.

The use of cloud-based applications has increased providers’ reliance on EHR vendor security measures. A detailed contract that states standards for EHR data protection is a start. But it only provides the ability to seek legal and financial remedies if the EHR vendor fails to meet its contractual obligations. It does nothing to guarantee uninterrupted access to your data.

A copy of your EHR data that is saved to an on-site computer is the only way to ensure access. A mirror backup provides an exact copy of the data. The technology allows updates to the mirror backup every 15 minutes. When selecting an EHR vendor, the availability of a mirror backup must be a key selection criteria. A local copy of the EHR application is also needed. Without it, the data is useless.

With the prevalence of ransomware attacks, a business continuity plan is also a must. The goal of a business continuity plan is to determine how you will continue to provide patient care without interrupting the normal workflow. Here are examples of items to include in your business continuity plan:

  • Clinical procedures for patient care
    • Individuals (each shift) who are responsible for printing critical medical record information from the local copy
    • Documenting patient care
    • Medication administration and documentation
    • New orders including medications, labs and tests
    • Daily schedules
  • Clinical documentation procedures
    • Availability of paper forms available
    • Procedures to distribute the forms
    • Maintaining an adequate supply of paper forms
  • A procedure to update the EHR when it is back online
  • Financial procedures for billing. Determine if the submission of paper claims is a viable alternative. If necessary, determine a minimum amount of days’ cash on hand that is needed to meet payroll and necessary accounts payable in the event that claims cannot be billed for a period of time.
  • HIPAA security procedures to ensure PHI protection with all alternative procedures. This includes the minimum necessary rule as well as the physical security of all paper and verbal PHI.


Topics: HIPAA, records, data breach

    Privacy Policy           Terms of Use