The recent ransomware attack on MedStar Health, located in the Washington, D.C./Baltimore area and comprised of 10 area hospitals, is another indication of the current vulnerability of our nation’s medical records. In fact, cyber-invasions represent the fastest-growing threat to clinical information security, according to the FBI.
Ransomware affects organizations through the Internet. Employees can click on infected attachments or URLs to introduce the software into the system. MedStar was able to bring its systems back online without paying the hackers, who had requested $19,000. They used their system backups to restore their clinical information systems, and this approach saved the organization’s reputation, and possibly as well as patient lives.
Another approach is being used by the University of Maryland and related hospitals and medical schools. They are collaborating on a regular basis, using their information officers or security chiefs to share knowledge. The IT departments are working together to discuss updates to their systems, software patches to be applied, and other best practices to fight hackers. This organization believes that working as a single defense unit will put up a barrier to these types of attacks.
At least six major academic systems have experienced cyber-invasions this year. These attacks can impact clinical information, but more importantly, patient care. Areas that are vulnerable in a facility are:
- Medical records – allergies or current medications can be amended or deleted.
- Work orders – wrong medication is delivered to the wrong facility.
- Medications – dosages could be changed.
- Surgery – documentation could be changed regarding the location of the procedure.
- Biological materials (e.g., blood, medical devices, etc.).
The hackers are so bold that some have set up call centers to “help” organizations get back online. They also assist facilities in paying ransoms in bitcoin, because it is difficult to trace. The current conversion of dollars to bitcoin is $427.33 equals one bitcoin.
Healthcare organizations are viewed as vulnerable, as their records are becoming more and more digitized and protections are not as current as they should be. Recent events are seen as encouragement for more cyber-invasions because in some instances, the hackers have been paid.
Here are the 10 best practices to protect a healthcare organization from hacking, according to Healthcare Business and Technology:
- Protect the network – segregate the network to limit the amount of damage.
- Educate staff members – on secure passwords, HIPAA requirements, and phishing avoidance.
- Encrypt portable devices – any device that maintains personal health information should be encrypted to avoid a breach due to loss or stolen devices.
- Secure wireless networks – ensure that wireless networks have passwords to protect them from unauthorized access.
- Implement physical security controls – server rooms should be locked just as file cabinets are closed to prevent unauthorized release of information.
- Write a mobile device policy – managing data that can or cannot be stored on mobile devices.
- Delete unnecessary data – organizations should have a policy to delete any data that is no longer required.
- Vet third-party security – ensure that cloud computing or other third-party vendors are diligent regarding data security.
- Patch electronic medical devices – pacemakers and monitoring tools are vulnerable to being hacked. It is important that these devices have up-to-date security software.
- Have a data breach response plan – develop a plan and educate staff regarding how to respond in the event of a cyber-invasion.
From an ICD-10 perspective, we should be concerned about securing our clinical information so that we can code and drop claims properly.