After ransomware took over Brookside ENT & Hearing Services’ EMR system, it decided to close its practice for good. The virus deleted and overwrote the medical practice’s medical records, bills and appointments—and the backups. The virus left behind duplicates, which the hacker promised to unlock in exchange for a $6,500 ransom. The two doctors who own the practice wisely refused to pay the ransom. Instead, they called the FBI.
Without any appointments, medical records or billing records, or backups, the doctors’ only option was to show up to work and wait to see what patients arrived for appointments – and treat them the best they could without patient history information. Ultimately, Brookside decided to close its practice because of the incident.
This is the first known instance of a provider going out of business due to a ransomware attack - and a reminder that ransomware attacks happen to providers of all sizes, in this case a two-physician specialty practice. It is not just the large providers like the Anthem breach that affected almost 79 million individuals.
Are you prepared for a ransomware attack?
But the lessons from the Anthem breach are takeaways for providers of all sizes. In the Anthem breach press release, the OCR investigation found the following issues:
- Failure to conduct an enterprise-wide risk analysis
- Failure to regularly review information system activity
- Failure to identify and respond to suspected or known security incidents
- Failure to implement adequate minimum access controls
In your organization, addressing these four areas will significantly reduce your cyber-security exposure.
These threats are just one employee click away. How well is your organization prepared for the inevitability of a ransomware attack? Here are some things you can do to minimize your risk:
- Use your HIPAA Security Risk Analysis to identify vulnerabilities to your sources of electronic PHI, and mitigate those risks
- Maintain a rigorous defense to ransomware and other threats. Keep antivirus software current on all devices
- Maintain an off-site backup of your ePHI, such as a cloud backup
- If you experience a ransomware attack, do not pay the ransom – call the FBI immediately
- Train staff on how to identify and prevent malware attacks – and train, train, train again!