May 16, 2016

Ransomware: An Emerging National Threat

By
The recent ransomware attack on MedStar Health, located in the Washington, D.C./Baltimore area and comprised of 10 area hospitals, is another indication of the current vulnerability of our nation’s medical records. In fact, cyber-invasions represent the fastest-growing threat to clinical information security, according to the FBI.  

Ransomware affects organizations through the Internet. Employees can click on infected attachments or URLs to introduce the software into the system. MedStar was able to bring its systems back online without paying the hackers, who had requested $19,000. They used their system backups to restore their clinical information systems, and this approach saved the organization’s reputation, and possibly as well as patient lives.

Another approach is being used by the University of Maryland and related hospitals and medical schools. They are collaborating on a regular basis, using their information officers or security chiefs to share knowledge. The IT departments are working together to discuss updates to their systems, software patches to be applied, and other best practices to fight hackers. This organization believes that working as a single defense unit will put up a barrier to these types of attacks.  

At least six major academic systems have experienced cyber-invasions this year. These attacks can impact clinical information, but more importantly, patient care. Areas that are vulnerable in a facility are: 

  1. Medical records – allergies or current medications can be amended or deleted.
  2. Work orders – wrong medication is delivered to the wrong facility.
  3. Medications – dosages could be changed.
  4. Surgery – documentation could be changed regarding the location of the procedure.
  5. Biological materials (e.g., blood, medical devices, etc.).
The hackers are so bold that some have set up call centers to “help” organizations get back online. They also assist facilities in paying ransoms in bitcoin, because it is difficult to trace. The current conversion of dollars to bitcoin is $427.33 equals one bitcoin.

Healthcare organizations are viewed as vulnerable, as their records are becoming more and more digitized and protections are not as current as they should be. Recent events are seen as encouragement for more cyber-invasions because in some instances, the hackers have been paid.

Here are the 10 best practices to protect a healthcare organization from hacking, according to Healthcare Business and Technology:

  1. Protect the network – segregate the network to limit the amount of damage.
  2. Educate staff members – on secure passwords, HIPAA requirements, and phishing avoidance.
  3. Encrypt portable devices – any device that maintains personal health information should be encrypted to avoid a breach due to loss or stolen devices.
  4. Secure wireless networks – ensure that wireless networks have passwords to protect them from unauthorized access.
  5. Implement physical security controls – server rooms should be locked just as file cabinets are closed to prevent unauthorized release of information.
  6. Write a mobile device policy – managing data that can or cannot be stored on mobile devices.
  7. Delete unnecessary data – organizations should have a policy to delete any data that is no longer required.
  8. Vet third-party security – ensure that cloud computing or other third-party vendors are diligent regarding data security.
  9. Patch electronic medical devices – pacemakers and monitoring tools are vulnerable to being hacked. It is important that these devices have up-to-date security software.
  10. Have a data breach response plan – develop a plan and educate staff regarding how to respond in the event of a cyber-invasion.
From an ICD-10 perspective, we should be concerned about securing our clinical information so that we can code and drop claims properly.
Laurie Johnson, MS, RHIA, CPC-H, FAHIMA, AHIMA-Approved ICD-10-CM/PCS Trainer

Laurie M. Johnson, MS, RHIA, FAHIMA is currently a senior healthcare consultant for Revenue Cycle Solutions, based in Pittsburgh, Pa. Laurie is an American Health Information Management Association (AHIMA) approved ICD-10-CM/PCS trainer. She has more than 35 years of experience in health information management and specializes in coding and related functions. She has been a featured speaker in over 40 conferences. Laurie is a member of the ICD10monitor editorial board and makes frequent appearances on Talk Ten Tuesdays.

Related Stories

  • Is All Airway Protection Acute Respiratory Failure?
    Document it right on the front end; avoid fighting a denial on the back end I was recently asked about a post from Hospital Performance regarding acute respiratory failure and airway protection (https://soundphysicians.com/blog/2018/06/20/from-the-appeals-desk-acute-respiratory-failure-part-1-2/), and I wanted to expand on what…
  • Type 2 Myocardial Infarction: Not a Fake Diagnosis
    ICD-10 code I21.A1 identifies Type 2 MI. Over the past two months, I have been making the rounds speaking at regional and national conferences and going on-site for my consulting business. Many of you have approached me and assured me…
  • Talk Ten Tuesdays Focusing on New ICD-11 Codes
    WHO team leader to weigh in on the new coding set. The World Health Organization’s (WHO’s) Robert Jakob, MD is scheduled to appear on Talk Ten Tuesdays this morning, according to Chuck Buck, publisher of ICD10monitor and executive producer and…