Electronic health records can do many things. But they need a little help when it comes to fending off cybercrime.
In the latest of an alarming rise in security shortfalls, Mount Pleasant, Texas-based Titus Regional Medical Center (TRMC) suffered a cyberattack of its EHR system, making it inaccessible due to ransomware.
Ransomware is one of the most insidious forms of cybercrime. The hackers don't necessarily want to snoop into patient medical records or steal data to commit identity theft. While the data in those situations has been compromised, at least in most cases the healthcare organization that suffered the breach can still access the EHR to treat patients.
Not so with ransomware, which installs a virus to encrypt the data and take control of it, rendering the EHRs inaccessible to clinicians until and unless a ransom is paid. Many of these demands are for ransom payments in Bitcoins, making catching the responsible criminal virtually impossible.
As of this writing, it was unknown whether TRMC planned to pay the ransom to unlock the cyberthief's encryption. It has hired a forensic specialist to help it resolve the problem. And the hospital is reverting to paper records, so it's still operating.
But without the electronic data that's becoming so ubiquitous, this data blocking can cause significant patient harm.
And it's only going to get worse. While some expect ransomware attacks increase, others predict that they'll begin to target medical devices in 2016. How? In many instances via the connected EHR. That means that if you don't pay the ransom, the hacker will turn off an infusion pump or a heart monitor. Patient harm is virtually guaranteed. That's scary.
But what's almost--or even more--scary is that here we are in 2016 and healthcare organizations still are not taking basic steps to fight cyberattacks such as ransomware. Many are not conducting risk analyses of their electronic data to determine their vulnerabilities, as required by both HIPAA and the Meaningful Use program. And they're not adequately protecting medical and mobile devices. Those are some of the most common findings of HIPAA enforcement actions taken by the Department of Health and Human Services' Office for Civil Rights.
Why? Do they think that since there's been relatively little enforcement that they won't be caught? That they have greater priorities on their time and resources?
The truth is that the reason doesn't matter, because there's no excuse. Many cyberattacks on EHRs are preventable. While TRMC hasn't indicated just how it ended up with ransomware on its system, I'd wager that the hackers were going after low hanging fruit, pinging systems everywhere to find those most vulnerable.
Covered entities and business associates, please double check how secure your EHR systems are, and ensure that you've taken steps to fend off cyberattacks, including ransomware. Fight back.
Yes, the entity suffering the cybercrime is a victim. No doubt about it. But when you walk down a dark street, don't you take precautions to make yourself less of a target? When you leave your house, don't you lock the door?
The same principles apply here. Don't be the low hanging fruit. Otherwise you'll be the one plucked from the tree and devoured. - Marla (@MarlaHirsch and @FierceHealthIT)