May 16, 2016

Ransomware: An Emerging National Threat

By
The recent ransomware attack on MedStar Health, located in the Washington, D.C./Baltimore area and comprised of 10 area hospitals, is another indication of the current vulnerability of our nation’s medical records. In fact, cyber-invasions represent the fastest-growing threat to clinical information security, according to the FBI.  

Ransomware affects organizations through the Internet. Employees can click on infected attachments or URLs to introduce the software into the system. MedStar was able to bring its systems back online without paying the hackers, who had requested $19,000. They used their system backups to restore their clinical information systems, and this approach saved the organization’s reputation, and possibly as well as patient lives.

Another approach is being used by the University of Maryland and related hospitals and medical schools. They are collaborating on a regular basis, using their information officers or security chiefs to share knowledge. The IT departments are working together to discuss updates to their systems, software patches to be applied, and other best practices to fight hackers. This organization believes that working as a single defense unit will put up a barrier to these types of attacks.  

At least six major academic systems have experienced cyber-invasions this year. These attacks can impact clinical information, but more importantly, patient care. Areas that are vulnerable in a facility are: 

  1. Medical records – allergies or current medications can be amended or deleted.
  2. Work orders – wrong medication is delivered to the wrong facility.
  3. Medications – dosages could be changed.
  4. Surgery – documentation could be changed regarding the location of the procedure.
  5. Biological materials (e.g., blood, medical devices, etc.).
The hackers are so bold that some have set up call centers to “help” organizations get back online. They also assist facilities in paying ransoms in bitcoin, because it is difficult to trace. The current conversion of dollars to bitcoin is $427.33 equals one bitcoin.

Healthcare organizations are viewed as vulnerable, as their records are becoming more and more digitized and protections are not as current as they should be. Recent events are seen as encouragement for more cyber-invasions because in some instances, the hackers have been paid.

Here are the 10 best practices to protect a healthcare organization from hacking, according to Healthcare Business and Technology:

  1. Protect the network – segregate the network to limit the amount of damage.
  2. Educate staff members – on secure passwords, HIPAA requirements, and phishing avoidance.
  3. Encrypt portable devices – any device that maintains personal health information should be encrypted to avoid a breach due to loss or stolen devices.
  4. Secure wireless networks – ensure that wireless networks have passwords to protect them from unauthorized access.
  5. Implement physical security controls – server rooms should be locked just as file cabinets are closed to prevent unauthorized release of information.
  6. Write a mobile device policy – managing data that can or cannot be stored on mobile devices.
  7. Delete unnecessary data – organizations should have a policy to delete any data that is no longer required.
  8. Vet third-party security – ensure that cloud computing or other third-party vendors are diligent regarding data security.
  9. Patch electronic medical devices – pacemakers and monitoring tools are vulnerable to being hacked. It is important that these devices have up-to-date security software.
  10. Have a data breach response plan – develop a plan and educate staff regarding how to respond in the event of a cyber-invasion.
From an ICD-10 perspective, we should be concerned about securing our clinical information so that we can code and drop claims properly.
Laurie Johnson, MS, RHIA, CPC-H, FAHIMA, AHIMA-Approved ICD-10-CM/PCS Trainer

Laurie M. Johnson, MS, RHIA, FAHIMA is currently a senior healthcare consultant for Revenue Cycle Solutions based in Pittsburgh, Pa. Laurie is an AHIMA approved ICD-10-CM/PCS Trainer. She has more than 35 years of experience in health information management and specializes in coding and related functions. She has been a featured speaker in over 40 conferences and will be speaking at 2017 AHIMA Coding Community Meeting in Los Angeles, Ca. Laurie has been a frequent guest on Talk Ten Tuesdays.

Related Stories

  • ICD-11 is Coming – Take Time to Adjust
    The new classification is designed as a database and has up to 13 dimensions. The World Health Organization (WHO) will be releasing the 11th Revision to the International Classification of Diseases, or ICD-11, this May. The WHO and many of…
  • “Assumptive” Coding for Heart Disease – A Coder’s Perspective
    Official guidance on ICD-10-CM coding raises questions regarding how to document cardiac care. The first step in choosing the proper ICD-10-CM code is reading the medical documentation to identify the diagnosis the provider has documented and confirmed. If there is…
  • Making the Case for Good Auditing
    In this article, the author gives a shout-out to auditors for the good work they do. For those of you who are CEOs, CFOs, medical directors, etc., I would like you to take a moment and read the excerpt below,…