Ransomware targeted to health professionals has been reported in the consumer media of late. Here are two first-hand accounts of optometric practices, one in Canada and the other in the USA, of their ransomware experience and advice.
Ted McElroy, OD, was shocked to find his practice cyber-attacked by ransomware that encrypted all of his business files and patient data, essentially freezing his practice. After exploring his options, he paid a $3,000 ransom to the hijackers to get back in business. On investigation, he corrected weaknesses in his backup system, and he devised a defensive plan should an attack happen again. Data hijacking is part of a growing trend, as cyber criminals target medical practices and health care systems as easy prey and willing payers. How prepared are you to defend against cyber criminals?
Defensive Plan: Continually monitor your backup to be sure it’s working and archived offline. If attacked, be prepared to wipe clean your entire computer system and re-install it. Negotiate with hijackers to send you the key to open your data, not for their price, but for what it costs you for your IT personnel to re-install. Estimate: three hours or $300.
Patient Privacy Concern: Are you sure your patient data has not been breached? You may be required to inform all patients of a potential breach of their patient data and payment method.
BACK UP FILES. Back up your files both on external hard drives (around $100 a piece at an office supply store) and also back it up in the cloud using a service like Carbonite, or one its competitors. The cost of backing up your data online depends on the amount of data you have to back up. In the case of Dr. McElroy’s practice, it costs just $89 a month to back up online, “in the cloud.”
GET WHOLLY IN-THE-CLOUD: Choose an electronic health records and practice management system that resides wholly in the cloud. EHR/practice management systems that reside entirely online, in the cloud, guarantee the security of your data as part of your contract with them, and if the information is encrypted by a hacker, they are the ones who are responsible for paying the fee to unlock it, and if the information is breached and exposed, they are responsible for paying damages to your practice to cover related expenses and the potential loss of patients.
DON’T LOAD NEW SOFTWARE FROM E-MAIL: When loading a new piece of software onto your server, first load it onto a zip drive. Then, do a virus scan to make sure no viruses are present, and only then load onto your server.
We Are Not Immune!
By Perry Amos, OD, OAKVILLE OPTOMETRY
In the summer of 2016 my office received an e-mail that wanted me to pay a ransom fee and if I didn’t pay a sum of money something bad would happen to my office computers or their data. Everyday, for the next several days the one computer that opened the original e-mail would get a pop-up message reminding me that I had to pay or else!
I would just close the pop-up and continue with my day. Shortly there after, I tried to review a patient’s visual fields and I could not open the file. In fact, I could not open any of the hundreds of visual fields that I have stored on the server. They were all encrypted. With a bit of research, I determined that any folder opened became encrypted and that folder could never to be opened again. I was able to work for the day as the EMR did not seem to be affected and the IT person we hire was able to rid the computer and the server of the ransomeware and thankfully for backups we were able to re-populate the visual fields data.
What I learned from this experience was that I should have taken the ransomware threat more seriously and called the IT fellow in the first place. It cost me more in time and worry than it did in dollars and it likely all could have all been avoided if I was more aware of ransomeware.
FURTHER READING: Learn more about ransomware–and how health care providers are being targeted:
TED MCELROY, OD,
Ted is the owner of Vision Source Tifton in Tifton, Ga, and the president of SECO