EHR hackers encrypt files, demand ransom

Few data breaches are as malicious or as in-your-face as a recent attack on Surgeons of Lake County, a small practice in Libertyville, Ill. Hackers gained access to a server that stored emails and electronic medical records. They encrypted and password-protected the files and then posted a ransom note on the server demanding payment in exchange for the password to unlock the files.

The practice instead shut off the server and called police.

"This story is so ironic--most people worry that their health records will be spread all over their local newspaper," Dorothy Glancy, a professor at Santa Clara University's law school who specializes in digital privacy, told Bloomberg's Tech Blog. "But in this case, the doctors--in fact, nobody--can access these records."

In fact, not all hackers steal health records data for personal gain--some hack EHRs just for the fun of it, attorney Robert Hudock, with Epstein, Becker Green in Washington, D.C., said in a recent interview with FierceEMR. "It's very easy to scan for vulnerability and execute an exploit. People are curious," he said.

In the interview, Hudock, who is a certified "ethical hacker," outlined 10 ways to protect against EHR hackers. EHRs should live on a segregated server, for example, and organizations should run regular risk assessments and audits.

The Surgeons of Lake County breach, which affected the records of more than 7,000 patients, according to the U.S. Department of Health & Human Services, happened in June. The practice sent out a release about it--but the news wasn't widely reported until it was posted on HHS's list of data breaches affecting 500 or more individuals and on the Privacy Rights Clearinghouse site.

Although HHS' breach classifications include a category for hacking, HHS has this incident listed in the "other" column.

To learn more:
- here's the Surgeons of Lake County announcement
- here's HHS's health data breach site
- and the Privacy Rights Clearinghouse site
- read the Bloomberg post