Anesthesia Coding Alert

Tip: Even simple staff training can help make a difference.

If you think your practice isn’t at risk for a ransomware attack because you’re a small group, think again. A recent data security incident showed that everyone is a potential target. Read on to learn from another group’s experience.

Here’s what happened: An optometry group in Prospect, Ct., discovered its files had been encrypted and received a ransom request from hackers to release 23,500 patients’ ePHI. The Nov. 29, 2018 attack “affected our network and some patient files by encrypting them,” said the practice in an incident report.

After restoring the network with backup files, an investigation showed “that patient files containing personal information were stored on two servers infected by the ransomware. This information may have included patients’ names, Social Security numbers, and limited treatment information,” noted the brief. The practice immediately circumvented further attacks and upped its cybersecurity protocols by “closing all remote access to the network, installing enhanced antivirus software, and obtaining ransomware protection,” the release explained.

Handle – or Head Off – the Threat of Hacks

Luckily, the optometry practice had a plan in place that nipped the takedown in the bud. There are some steps you can take to cut down your chances of an attack before it happens while boosting your compliance protocols in the process.

Practices that ignore necessary software updates and installations leave the door open for hackers to step right in and infiltrate their systems. “The first two steps I recommend practices take to prevent ransomware are to make sure their antivirus and vulnerability patch management programs are in good shape,” advises Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah.

Step 1:  Install software that detects and prevents ransomware issues. “Antivirus [software] needs to be installed on all computers in the practice, configured to update automatically, perform both real-time and regularly scheduled scans, and not be able to be uninstalled except by administrators,” stresses Stone.

Step 2: Keep your software patches updated. “Vulnerability patch management is making sure operating systems and applications are regularly updated with security patches,” Stone says. “One of the most common vulnerabilities I see with customers is that they either don’t regularly patch their computers or, worse yet, they use older, unsupported operating systems, such as Windows XP, that can’t be patched.”

Comprehensive compliance planning helps manage your practice’s risk of a ransomware attack, too. Annually assessing, then analyzing, and finally managing your risk helps you “determine which security controls to implement, based on the unique risks of the organization,” Stone says.

Find Funding for IT Security

The upkeep and implementation of a data security plan that includes HIPAA compliance can be costly, but the price tag of a cyber incident usually far outweighs what you would have spent preparing your practice in the first place.

OCR worries: “For a long time, and still today, many compliance officers struggle to get the budget they need from upper management/executives to invest in their privacy and security program,” observes attorney Kathleen D. Kenney, of Polsinelli LLP in Chicago. However, she maintains that investing upfront is essential and can be “night and day” if the HHS Office for Civil Rights should come knocking.

In addition, “cheap or free tools typically require more manual configuration and operation, so committing less budget to the tools could mean spending more on personnel to manage them,” Stone warns. “Not having the security controls in place at all only saves money until the breach happens.”

Tip: Training is key for small practices on a budget, indicates Stone. “For example, two common ways ransomware infects computers are through clicking on an infected email attachment and downloading malware from an infected website. If workforce members can be trained not to click on attachments and to stay away from all non-work-specific websites, the risk of being infected by ransomware will be lower.”

Stone adds, “It would be even better if an email filter and the ability to block executables were implemented as well.”