What will a malware breach cost a physician practice?

Editor’s Note: Welcome to Medical Economics' blog section which features contributions from members of the medical community. These blogs are an opportunity for bloggers to engage with readers about a topic that is top of mind, whether it is practice management, experiences with patients, the industry, medicine in general, or healthcare reform. The series continues with this blog by Carol Gibbons, RN, BSN, NHA, who is CEO of CJ Consulting, which specializes in healthcare revenue cycle management. The views expressed in these blogs are those of their respective contributors and do not represent the views of Medical Economics or UBM Medica.

If you think that you have not had a data breach in your business, you are an ostrich with your head in the sand.  If you have multiple computers in your office and you allow your employees to access their personal email, I can guarantee that you have malware and viruses on some of your computers that your antivirus software is not catching.

Blog: Change doesn't have to be a bad thing for doctors

The biggest news recently has been about malware, known as ransomware, encrypting computers and taking the data hostage.   

The ransomware known as CryptoLocker has been very effective in generating ransom payments.  It is estimated that in late 2013, thieves collected more than $30 million in a short three-month period according to an article by Jim Flynne of Carbonite.

To pay or not to pay, that is the question

The latest question is whether to pay the ransom or not.  If you have been keeping up with healthcare IT news, you know that some hospitals have paid the ransom and some have not.  There is no right or wrong answer to that question.  However, with a number of large businesses paying ransom for their data, it is clear that the perpetrators of this theft are getting more brazen and attacking more businesses.

More from Carol Gibbons: Tips for preparing your practice to survive the millenial patient

So if you pay to get your data back, how can you be sure that the perpetrators did not leave a back door into your system to come back for another fee?  You also do not know how much data they downloaded without getting an IT professional to go through your computers to see how they got in and what they may have downloaded. 

Next: Cloud doesn't equal safety

I had a client that allowed employees to get onto their personal email at work and one day an employee clicked on something that allowed the ransomware in.  Luckily, the practice reacted quickly and unplugged the computer.  They immediately notified their EHR software vendor and turned off their software link to the server at the practice.  Thankfully, most of their local data was backed up and the EHR vendor had clean data to restore from.

Blog: Who is ruining the healthcare system?

The financial outlay, however, for the IT company and software reinstall was several thousand dollars and they were using paper documents for visits for two days.  While the ransom was much smaller, you have no guarantee that the “thief” that encrypted your data will really give you the encryption key after you pay.

This link from Armor shows how quickly a “threat actor” can get into and out of your system leaving havoc behind.

Using the cloud doesn’t equal safety

Do your providers take their laptops home at the end of the day and do they access their personal email on this computer?  If the answer to this question is yes and that laptop is not encrypted, you could be paying big fines if that laptop is stolen.

You may think that you are safe because your software is cloud-based.  However, your user ID and passwords are probably saved on your computer to make it easier for you to access your programs.  So could a thief! How many patient records are currently in your software?

Related: Ethical hacking a vital necessity to fight against randsomware

A practice recently paid $750,000 in fines because an employee had a laptop stolen that contained protected health information from 55,000 patient records. The laptop was not encrypted so the data was available to the thief.   What if this happened to you?  How much insurance coverage do you have to cover this cost?  Have you looked at your business coverage to see if it contains any insurance for breaches? 

Next: Safest path to take

 A study sponsored by IBM and done by Ponemon Institute,reviewed the cost of a data breach across multiple industries.  I have included a link to this study to show that the average cost associated with a healthcare breach is $363 per record versus $165 in retail.  If a hacker accessed your EHR system, how many charts do you have in your system? The cost of 2,000 records could be over $700,000. 

According to the survey, “healthcare organizations are also being targeted by malicious and criminal attacks because of the value of the information and knowledge that security is often not the best in these organizations."

Blog: Reexamining the 80-hour medical resident workweek

The fact that healthcare has become a bigger target for hackers should have all healthcare businesses evaluating their security and ability to monitor their computers for attacks.  Most healthcare business owners do not have the sophisticated knowledge to set up the security on their network that can prevent these attacks.  

The safest path to take in today’s risk profile is to have a professional monitor and manage your network.  Your server should be backing up as a mirror image, not just backing up your data.  That way, if a breach should happen, the system can be shut down and restored at a point prior to the breach.

On March 31, the Department of Homeland Security issued a warning to healthcare businesses to be diligent in protecting their networks from ransomware attacks.  One of the biggest recommendations was to evaluate your back-up process to make sure they can quickly restore their system from their back-up clean data.

Next: Tips to protect your business

Here are some tips to help protect your business:

1.      You should be using an enterprise antivirus product to protect your network, not the software that came on the computer. The free software or software for individual computers is not enough to protect your entire network.

2.     You should have a router with sophisticated firewall installed by a security expert.  Doing it yourself and attempting to save money will cost you in the long run.

3.     Cloud backup software should back up all the computers along with the software in your business to protect your data. You could have essential operational data on computers in your office even if your clinical software is cloud based.

4.     Do not let employees access their personal email at work.  Set up email accounts for business use and monitor the staff access. 

5.     Educate your staff regularly regarding phishing emails; never open an email advertising a new product without permission. Some of the most common Phishing emails are notification your bank account or credit card may be locked, notice of a delivery when you have not ordered anything, or a notice from a government agency like the IRS or FBI.

6.     Do not let employees bring CD’s or DVD’s into the business and put them in a computer.  They can contain viruses.

7.     Do not let employees access  internet radio at work.

8.     Do not let employees plug a flash drive into your system, EVER! If it has been used on their personal computer, it may contain viruses or malware.

9.     Change passwords to at least every 6 months.

10.  Do not use the same password to access computers and your EHR software.

11.  Immediately disable accounts when an employee is terminated or leaves.

12.  Encourage staff members to use passwords that are sentences.  An example is:  I love Lucy.  Then substitute the number “1” for the letter “I” and the number zero “0” for the letter “o”.  It is easy to remember but more difficult to hack.  1l0veLucy would be the password. 

13.  Train employees never to leave a reminder note of passwords on their computer or filed in their desk.  Since many people now have phones with contact information, employees can store their password hints on their phone.

14.  Train, train, and train your staff even more regarding the dangers of a breach.

15.  Discuss breach insurance with your insurance broker to protect your business. One million dollars is not unreasonable for a starting point.

Next: What to do if you are attacked

There is no way to guarantee that you will not experience a breach, so a backup plan is important and all you staff must be educated regarding the immediate steps to be taken if you are attacked.  Here are some steps to take:

1.     As soon as you are aware of a problem, shut down the computer to prevent any further file transfers.

2.     Consult a professional to locate the computer where the infection happened and how many files were infected.

3.     Review the extent of the data breach and consult with a professional to delete all damaged files to prevent any reoccurrence.

4.     If you have prepared well, you will have a backup application that will allow you to recover clean versions of the infected files.

5.     Utilize a professional to review your current virus software and determine whether you need to change to a more proactive product.

If you implement the steps, you will be better prepared to prevent an attack and recover data in the event of an actual attack. Security preparation through technology and education of your staff are the key factors in protecting your data and avoiding fines.