A ransomware attack this week that hit Pennsylvania doctors' offices serves as another urgent reminder for practices to ensure their electronic security.
Tuesday’s global ransomware attack, the second one in as many months, infected the Sewickley, Pennsylvania-based Heritage Valley Health System with a malware virus known as Petya that crippled the entire health system, including its physician offices.
Heritage Valley was still dealing with the aftermath Wednesday, according to The Beaver County Times. For one patient, that meant her doctor dictated instructions to an assistant, who took notes on a blank sheet of paper, and patient and physician relied on memory for past medical history and medications, the article said.
Meanwhile, surgeons canceled some operations for a second day Wednesday at the system’s hospital in Beaver, Pennsylvania, one doctor told The Wall Street Journal.
Dale Yakish, M.D., an orthopedic surgeon at the Association of Specialty Physicians, said while its computers were frozen, his group practice still had access to patient medical records, which are on paper. “We’ve been slow to get rid of our paper records. After this, we may be a little slower,” he told the WSJ.
Steps to protect your practice
This week’s cyberattack and others, including May’s WannaCry ransomware attack, demonstrate the need for strong electronic security.
“Sometimes the small practice physicians think they won’t be targeted because they have less information, but what we’re learning is that everyone is vulnerable because health data is very valuable,” Deven McGraw, deputy director for Health Information Privacy for the Office for Civil Rights at the U.S. Department of Health and Human Services, told Medical Economics prior to the most recent attack.
Attacks are becoming more sophisticated, and health systems must step up efforts to ensure they don’t become victims, Michael Kaiser, executive director of the National Cyber Security Alliance, told The Beaver County Times.
Just like individuals, practices should continually update their devices with software patches or fixes, and use strong passwords or other authentication measures, he said. They should regularly conduct backups of their systems, so systems can be restored if ransomware or other attacks block them from accessing their computers.
While prevention is the goal, organizations also should be prepared to respond to and recover from an attack to minimize disruptions, he said.
Since they are focused on patient care and often without a dedicated staff member to handle IT, many physician offices aren’t following basic security measures, such as having up-to-date hardware and software, failing to download security patches, and skimping on security technologies, according to Medical Economics.
A security risk assessment, required by HIPAA, can help practices identify their weaknesses. Adopting strong passwords and keeping antivirus programs up to date so they catch the latest threats can also help protect patient information.