By Bret Piatt
Jul 15, 2016
New research from Ponemon Institute indicates that healthcare organizations are under attack. Breaches are up 100 percent since 2010. These breaches cost the industry roughly $5.6 billion a year not including the fines and penalties associated with HIPAA violations.
Imagine logging into your computer system one day only to find a ransom note from a hacker demanding money in exchange for a safe return of patient records. This happened to Dr. Derm’s medical practice in the greater Chicago area – and he wasn’t prepared. Hackers broke into the office server, encrypted the patient data and gave an ultimatum: Pay the ransom or never see your patients’ data again. Dr. Derm paid the hefty blackmail to get his records back. Unfortunately, he also had to pay HIPAA violation fines, suffered negative press, lost reputation, and had significant patient attrition.
When California dentist Catherine Steinborn’s server was compromised, she never anticipated the stress and financial impact it would cause her. Information including Social Security numbers, medical insurance information, billing information and patient addresses and phone numbers were stolen. Dr. Steinborn had to commit to paying for free credit monitoring and identity restoration for every single patient.
Keeping sensitive data on a portable device is not recommended – it is better to store your data in an offsite location with a secure environment, such as a HIPAA compliant data center with the proper physical and network security in place to protect PHI and prevent a data breach. Your data backup provider should tell you where their data centers are, what audits they undergo, and back that up by providing a HIPAA Business Associate Agreement (link to download the Jungle Disk BAA).
David Finn, health IT officer at Symantec, said all of the provider organization executives he spoke with at the recent 2016 Annual HIMSS Conference and Exhibition told him they had noticed an uptick in the number of ransomware hits. “We have the tools to catch these attacks nowadays, but you cannot do it with a single product, you need a multi-layer defense strategy – if your end-point protection doesn’t stop a ransomware hit, for example, then maybe your network protection will get it,” Finn said. “Maybe a ransomware hit comes in through a web gateway rather than an e-mail, or maybe through a jump-drive someone got from who knows where. You cannot just look at e-mail and say all the bad stuff is coming in this way, you have to have multi-layered products, correlate data from these products, and use that intelligence.”
Recommended layers of protection:
In the unfortunate situation that a problem does occur the last thing you want to do is wait hours or days for a reply to a technology support ticket or sit listening to hold music. Your provider should have experts available to you via phone with little to no wait. Find out if their experts will help you through the data recovery and restoration process or if they’re only there to help if you are stuck installing their software. When you have an incident you will need some of your data restored right away for the records you need to do business today. They should be there to help you find the urgent data and then follow back up to ensure all the rest of your information is recovered and restored once the crisis is handled.
Data security is more important now than it ever has been for medical groups and individual practices. The cost of putting the right solution in place is now much lower than the cost of doing nothing and hoping it doesn’t happen to you.