The recent ransomware attack on a California hospital has highlighted the breadth of hospital and other medical entities’ vulnerability in data breach situations. After having difficulty accessing patient medical records on the hospital’s computer network, Hollywood Presbyterian Medical Center staff determined that a malware attack had locked access to certain systems. According to numerous reports, the hospital’s network was down for a week, with no access to electronic patient records or email. The hospital later paid a deemed $17,000 ransom to provide the decryption key.
Typically gaining access to the IT network via a legitimate-looking email opened by an employee, who then might innocently open an attachment, or provide key information such as a username or password, ransomware is software that deploys and locks any or all of the facility’s information system, demanding a ransom be paid to unlock it. Patient and other records may or may not be stolen during these attacks. Whether or not an entity is able to remediate the breach without paying the ransom, dealing with these attacks is costly. However, in addition to the frustrations and cost incurred by a typical business, ransomware deployment in a medical facility may disrupt patient care, possibly with life-threatening implications.
The success of the hackers in California sets a precedent for cyber security breaches in the healthcare industry, and calls for medical facilities to find increasingly aggressive and proactive solutions to security threats.
Aside from outdated software in medical devices and systems, perhaps the biggest threat to a medical entity’s security is its own employees. It is critical that employees are regularly trained on their role in maintaining IT security, including safe internet usage and how to recognize and process illegitimate emails.
To protect yourself and your practice from this industry epidemic, there are actions you must take:
- Reevaluate security policies and procedures to mitigate data breaches
- Review, test, evaluate and modify any incident response and data breach plans
- Conduct regular training and education to employees
If you have questions about how your practice can stay protected against cyber security breaches, contact Anders.All Insights