I followed all the rules and I still got hacked

February 10, 2017

Last fall, on a typical busy Monday morning, with add-ons, walk-ins, and a packed schedule, I started to notice my computer network was sluggish and I was getting kicked off of my EHR several times throughout the day. We verified that there was no issue with our internet service provider, so I assumed that the sluggish network was a function of a busy Monday morning.

Dr. EllisLast fall, on a typical busy Monday morning, with add-ons, walk-ins, and a packed schedule, I started to notice my computer network was sluggish and I was getting kicked off of my EHR several times throughout the day. We verified that there was no issue with our internet service provider, so I assumed that the sluggish network was a function of a busy Monday morning.

 

Further reading: Top tips for protecting a practice from hackers

 

Later that week, as my IT person was installing new software onto my system, he noticed that someone had logged onto my server and that we had been compromised. Ransomware had been deployed on the server and all workstations throughout the practice. Ransomware is a harmful type of software that forces the victim to pay a fee in order to unlock the system and retrieve their data.

We were, in other words, the victims of a cyber attack. Within minutes, we completely shut down our system and disconnected it from the internet, preventing any major damage and data loss to trigger the ransom. My major concern at that point was guarding my patients’ protected health information (PHI) as well as their identities.

The following morning, my IT person was at my office with a strategic plan for how to deal with this cyber attack and implemented his response within minutes of my approving it. I pulled out my HIPAA manual to make sure we were following protocol. We notified local authorities, who advised us to contact the FBI. We did so immediately. Then we began keeping a detailed log of all events that had occurred and our plans for resolving the issues.

 

Funny Bone Comic: Fancy cybersecurity is a joke, who needs it anyway?

 

The next two weeks would be very stressful as we worked to reestablish our network while guarding patient identities and PHI. I was angry and felt victimized. I was worried about my practice, our systems and how we’d get up and running again. But most of all, I was concerned about my patients. I did not want their data compromised on my watch. Fortunately, none of the data were accessed, as our old records were encrypted on the server while our present records are on the cloud with our IT vendor.

Next: How could this have happened to me? 

 

Although I’m a busy physician with an urgent care practice adjacent to my internal medicine practice, we were forced to close Friday through Sunday. When I re-opened on Monday, it was with limited access to the Internet and my EHR. In today’s world, our computers, tablets, and phones are our lifelines. This event took us back 20 years to paper and pen for charting.

 

Related: 7 tips to protect patient data from visual hacking

 

I do have insurance to cover what happened, but at the end of all of this-between shutting down over a busy weekend, getting a new server up and running and putting enhanced security in place-I am looking at a loss of $50,000 to $60,000.

How could this have happened to me? I took pride in the fact that I had protected my practice for years with a double firewall, the latest and best anti-virus software, a HIPAA-compliant network and an IT person on retainer who for years had kept my system safe.

In short, I did everything by the book and I was still hacked. It made me realize that none of us are immune from a cyber attack. As a result of this hack, I have established even tighter measures in my practice. I have set all computers to automatic updates of software, blocked internet access to unnecessary sites, and have retrained all employees to not open any emails.

I have regular communication with our IT professional, ensuring that all activity remains safe and secure. Without that reliable IT assistance, I would still be working to get my practice back online, months after the attack. I couldn’t have done this alone.

Next: Remaining vigilant

 

We are exercising strict security measures in an effort to guard our patients’ PHI as well as their identities. Passwords are changed at regular intervals, and cannot contain words in the dictionary. All screens and monitors are locked and secured when not attended by staff, preventing security violations in our practice.

 

Editorial: Data security is the 800-poud digital elephant in the room for physicians

 

These measures had been undertaken prior to our cyber attack, but now have been revamped further as we continue to make our patients’ well-being our first priority.

I was glad that I had my HIPAA manual to turn to in the early days following the hack. Understanding HIPAA compliance, conducting security risk assessments on a regular basis and retaining a competent company guiding your HIPAA compliance plan are essential in this day and age where none of us are truly protected from a cyber attack. In the meantime, my staff and I remain vigilant.