How Ransomware Threatens Your Medical Practice
Author: Joe Cerra, National Sales Manager – STI Computer Services, Inc.
I recently received this email from a colleague: “Joe, I have been trying to move this client to the Cloud for over a year. ”
The practice just got the Crypto virus last Friday and now they are ready to move to the cloud. There is a new kind of virus affecting physicians and it’s not the measles. Malicious ransomware software like the Crypto Locker virus can wreak havoc to a physician’s computer information to the point of making it unusable and creating a potential financial crisis for the practice.
Crypto Locker is a computer malware software virus (known as a Trojan Horse) that is pulled into your in-house billing and/or EMR system by someone in your office who inadvertently opens an email message attachment or link that downloads the virus into a computer workstation. Once in the computer workstation, the virus spreads throughout your network until it reaches your network hard drives, encrypting your data files to make them unusable without an encryption key. Once you download the virus you are typically notified by email that you need to pay the bad guys to unlock your data (that’s why it is also called ransomware). By paying the ransom however, there
is no guarantee that the bad guys will give you the key to unlocking your patient data.
Why should they? They’ve been paid and the longer they communicate with you the greater the chance that they will be caught. In fact, they may even ask for more payment since they think they have someone that’s paid before and may be willing to pay more.
Don’t count on getting the encryption key even if you pay the ransom. The data on your hard drives is probably lost. The bad news is that your data is locked, unusable, and most likely only the bad guys can unlock it.
Physicians who encountered this virus can lose weeks of time and a substantial amount of money trying to recover their data, especially if they don’t have good data backup.
Without your computerized schedule, how do you know who is coming into the office tomorrow, what is their payment balance and if you use a computerized EMR you can’t even access your chart notes.
Practices without a professional IT managed services contract or an ASP cloud-based software are more prone to get the Crypto Locker virus because they may not have good security procedures, maintain Microsoft or anti-virus program updates and most important – maintain good off-site data back-up procedures.
Some practices that we’ve spoken too after they were infected, often had lax security standards and poor back-up procedures to the point of not having a recoverable data back-up going back more than a month. You can imagine the cost of losing 30 days of billing, payments, appointments, recall and patient note information.
That’s why we recommend that if you own an independent medical practice without a professional IT manager that you look at moving to a professional IT managed services company or an ASP cloud-based software version. A professional IT managed services company can check that your server network is secure, that you are downloading the necessary software updates, provide automatic and timely offsite back-up as well as monitoring your network on a 24-hour, 7 day a week basis. If you encounter a problem,
you have a company that understands your network and is ready and willing to assist you in data recovery from your off-site back-up files.
If you are running a million-dollar medical practice, several thousand dollars a year is an inexpensive insurance policy. Managed services may not be
cheap but it’s a lot less expensive than trying to recover lost patient data.
Another alternative for smaller medical practices is an ASP (application service provider), or cloudbased version of your in-house billing and/or EMR system. The advantages of a cloud -based system is that you no longer need to maintain a file server in your office. Servers are owned and maintained by the ASP as well as housed in a protected and professionally managed location on a 24-hour, 7 day a week basis. You pay a monthly subscription fee to use the software and access your data via the Internet from anywhere. You are only responsible for local computers and printers. The ASP vendor is responsible for purchasing and maintaining the server, updating new
versions of both Microsoft and medical application software and providing off-site back-up, removing this responsibility from your staff. Most cloud-based vendors also provide redundancy in case of equipment failure, something that most practices can’t afford.
Physicians are familiar with dealing with medical viruses. A computer virus can be avoided just likea medical virus by taking careful steps, but never eradicated. In addition to the above recommendations here are some local steps that every medical practice should take;
- 1. Do not open any email attachment from any source that you do not recognize or expect to receive. I have a friend that loves sending me email jokes and attachments, and I won’t even open his attachments and I know the guy. Who knows where he pulled this information, and what’s hidden in it. I’d rather be safe than sorry.
- 2. Don’t click on pop ups that appear on your computer screen.
- 3. This one is difficult to enforce but instruct employees not to read personal email or visit non-commercially, well-known websites from their work computer. Keep away from “shady” websites.
- 4. Make sure your office is using a business class, hosted endpoint protection (virus and security) software on all local computers, and make sure you keep it up-to-date.
- 5. If you don’t have a managed services or ASP contract that includes off-site back-up, the most important thing you can do while you plan on acquiring one is to maintain local multiversion back-ups on a daily basis. Your data back-up is the only protection to restore your medical practice information after encountering a ransomware attach. By multi-version I mean more than one back-up source or multiple types of back-up. We’ve encountered practices that continue to back up data on the same medium repeatedly. If that one backup media fails, they do not have a second source, and all data is lost. A system of daily back-up on five separate media sources (Monday through Friday) is the traditional way of backing up data properly.
It’s important to understand that you cannot eliminate encountering a ransomware attack, but your patient information is too valuable to not take the most precautions possible, and to protect your medical practice from a financial loss.