Updated on: November 28, 2016

Ransomware: An Emerging National Threat

Original story posted on: May 16, 2016
The recent ransomware attack on MedStar Health, located in the Washington, D.C./Baltimore area and comprised of 10 area hospitals, is another indication of the current vulnerability of our nation’s medical records. In fact, cyber-invasions represent the fastest-growing threat to clinical information security, according to the FBI.  

Ransomware affects organizations through the Internet. Employees can click on infected attachments or URLs to introduce the software into the system. MedStar was able to bring its systems back online without paying the hackers, who had requested $19,000. They used their system backups to restore their clinical information systems, and this approach saved the organization’s reputation, and possibly as well as patient lives.

Another approach is being used by the University of Maryland and related hospitals and medical schools. They are collaborating on a regular basis, using their information officers or security chiefs to share knowledge. The IT departments are working together to discuss updates to their systems, software patches to be applied, and other best practices to fight hackers. This organization believes that working as a single defense unit will put up a barrier to these types of attacks.  

At least six major academic systems have experienced cyber-invasions this year. These attacks can impact clinical information, but more importantly, patient care. Areas that are vulnerable in a facility are: 

  1. Medical records – allergies or current medications can be amended or deleted.
  2. Work orders – wrong medication is delivered to the wrong facility.
  3. Medications – dosages could be changed.
  4. Surgery – documentation could be changed regarding the location of the procedure.
  5. Biological materials (e.g., blood, medical devices, etc.).
The hackers are so bold that some have set up call centers to “help” organizations get back online. They also assist facilities in paying ransoms in bitcoin, because it is difficult to trace. The current conversion of dollars to bitcoin is $427.33 equals one bitcoin.

Healthcare organizations are viewed as vulnerable, as their records are becoming more and more digitized and protections are not as current as they should be. Recent events are seen as encouragement for more cyber-invasions because in some instances, the hackers have been paid.

Here are the 10 best practices to protect a healthcare organization from hacking, according to Healthcare Business and Technology:

  1. Protect the network – segregate the network to limit the amount of damage.
  2. Educate staff members – on secure passwords, HIPAA requirements, and phishing avoidance.
  3. Encrypt portable devices – any device that maintains personal health information should be encrypted to avoid a breach due to loss or stolen devices.
  4. Secure wireless networks – ensure that wireless networks have passwords to protect them from unauthorized access.
  5. Implement physical security controls – server rooms should be locked just as file cabinets are closed to prevent unauthorized release of information.
  6. Write a mobile device policy – managing data that can or cannot be stored on mobile devices.
  7. Delete unnecessary data – organizations should have a policy to delete any data that is no longer required.
  8. Vet third-party security – ensure that cloud computing or other third-party vendors are diligent regarding data security.
  9. Patch electronic medical devices – pacemakers and monitoring tools are vulnerable to being hacked. It is important that these devices have up-to-date security software.
  10. Have a data breach response plan – develop a plan and educate staff regarding how to respond in the event of a cyber-invasion.
From an ICD-10 perspective, we should be concerned about securing our clinical information so that we can code and drop claims properly.
Disclaimer: Every reasonable effort was made to ensure the accuracy of this information at the time it was published. However, due to the nature of industry changes over time we cannot guarantee its validity after the year it was published.
Laurie M. Johnson, MS, RHIA, FAHIMA AHIMA Approved ICD-10-CM/PCS Trainer

Laurie M. Johnson, MS, RHIA, FAHIMA, AHIMA Approved ICD-10-CM/PCS Trainer is currently a senior healthcare consultant for Revenue Cycle Solutions, based in Pittsburgh, Pa. Laurie is an American Health Information Management Association (AHIMA) approved ICD-10-CM/PCS trainer. She has more than 35 years of experience in health information management and specializes in coding and related functions. She has been a featured speaker in over 40 conferences. Laurie is a member of the ICD10monitor editorial board and makes frequent appearances on Talk Ten Tuesdays.

Related Stories

  • Proposed Biannual ICD-10 Implementation Dates: Weighing the Pros & Cons 
    Understanding the impact on business processes in the event that biannual ICD-10-CM and PCS updates are implemented is essential – as is your feedback.  With a comprehensive agenda covered at the virtual ICD-10 Coordination and Maintenance Committee meeting earlier this…
  • CDC Releases Updated Guidelines
    The guidelines are effective from Jan. 1, 2021 through Sept. 30, 2021. On Dec. 16, 2020, the Centers for Disease Control and Prevention (CDC) released updated ICD-10-CM Official Coding and Reporting Guidelines for 2021. The updated document can be found…
  • ICD-10 Codes Amid the Pandemic and the U.S. Election
    The mood of the country impacts claims. There are a few words that can be associated with the pandemic and the election. These words are the following: Stress – a state of mental or emotional strain or tension resulting from…