Many practices believe that a ransomware attack is nothing more than a nuisance to their business. But one practice in Michigan found out that ransomware can be costly. In this case, the practice was forced to close down permanently. Patient records were all completely lost and patients have been left scrambling to find replacement physicians. Without records to send to new physicians, patients are in a tough position due to a ransomware attack.
Brookside ENT and Hearing Center in Battle Creek Michigan was the victim of a ransomware attack earlier this year. The entire patient records database was encrypted and the practice was locked out of the data. The attackers demanded $6,500 in payment to release the data.
The two owners of the practice, Dr. William Scalf and Dr. Jason Bizon decided against paying the ransom because they had no guarantee that after paying the attackers would release the data.
When the payment wasn’t made, the attackers deleted all of the practice’s data. This included all patient records, billing information, and appointment schedules.
What was the result?
According to Dr. Bizon, the database for the patient records was encrypted and therefore wasn’t accessible to the attackers. He stated that no data was released in this breach. However, all data was deleted.
Because of this, the physicians decided to close the practice and retire early rather than attempt to rebuild.
The practice will officially close on April 30, 2019.
The office has been working to find referral physicians for its patients. However, since no medical records exist, a lot of stress has been created for the patients. Those with complex medical histories have no way to get that information to a new physician.
Dr. Bizon stated that the FBI is now investigating the breach.
How can a ransomware attack impact your practice?
Ransomware works by infecting a computer and then it begins to encrypt all the data on that computer with a key that is nearly impossible to crack. Once the data is encrypted, it is not accessible to the victim. The ransomware will then present a ransom demand for a payment to be made to release the data. If the ransom is paid, then the data will be released. Sometimes. The victim has no way to know for sure if that will happen and often, because of this, they choose not to pay.
If a victim doesn’t have proper backups, then at this point, they will lose everything. As in this case, the practice lost everything and wasn’t able to recover.
How can you protect yourself from a ransomware attack?
The first step in protecting your practice from any type of attack is your Risk Assessment. Everything starts with the Risk Assessment. If you haven’t already performed one, then you need to do that before anything else. This will let you know what areas of your practice are exposed.
This specific case illustrates the necessity for a good backup system. A good system to use is the 3-2-1 backup system. A 3-2-1 system works as follows:
- 3 copies of your data
- 2 different types of devices are used for your data (the original data on the server and another such as an offsite backup or backup drives)
- 1 of these backups must be offsite.
If the practice above had followed this, then the worst case scenario is that they might have lost one day’s worth of data by restoring the previous day’s offsite backup. One day to rebuild is a lot easier than starting from scratch.
Your data is what drives your practice and it must be protected.
Having a backup and disaster recovery plan is required under HIPAA regulations. Here is a statement by the Department of Health and Human Services (HHS) concerning backups:
“Covered entities must have contingency plans that establish policies and procedures for responding to an emergency or other occurrences (fire, system failure, and natural disaster) that damages systems that contain e-PHI.” HHS
After you have ensured you have a good backup and disaster recovery plan, make sure you have good anti-malware protection on each of the computers on your network. This will help to lower your risk of infection.
Finally, make sure the network is secured with a commercial grade firewall and that all outside users who need access do so via a VPN (Virtual Private Network) connection. This ensures that there are no open services live on the Internet to be attacked by hackers or other cyber criminals.
Ransomware is serious. This example can show just how serious it can be, especially for the small practice. Many small practices don’t have an on-staff IT person to ensure all of these items are addressed. This is why many small practices fall victim to ransomware and phishing type attacks. The ransomware threat will continue as long as attackers are able to make money from this without a lot of risks.