Healthcare, Ransomware, and Security Breaches

Ransomware, a treacherous malware exploit that encrypts victims’ data or prevents access to their devices, netted cybercriminals an estimated $1 billion in 2016.

Data-related extortion attacks on businesses rose three-fold during the first nine months of last year, equating to one every 40 seconds. Two-thirds of those hit by ransomware lost all or part of their corporate data and one-quarter spent weeks trying to restore access, according to Kaspersky Labs, a data security firm.

Perhaps even more alarming is a predicted shift from chaotic and sporadic ransomware incidents to steadier assaults in higher volumes. “There is no such thing as a low-risk sector anymore,” Kaspersky’s research warned.

Healthcare, with 16 percent of organizations having been hit by ransomware, ranks in the top 10 among targeted industries.

High stakes for healthcare

Hospitals and health systems, as HIPAA covered entities, must adopt safeguards to ensure the confidentiality, integrity and availability of electronic protected health information (ePHI). The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, issued guidance in 2016 presuming a breach in the event of a ransomware attack involving ePHI. In other words, it’s up to the provider organization to prove that a breach did not occur by demonstrating low probability that ePHI was not compromised.

Nonetheless, many organizations remain non-compliant or take a stance of “calculated non-compliance.” That means they deem any potential fine to be cheaper than the reporting costs or technical resources needed to investigate incidents to OCR’s satisfaction, according to James Scott, senior fellow at the Institute for Critical Infrastructure Technology.

All the same, providers should be concerned whether ePHI is properly encrypted and adequately protected against compromise by ransomware. And from a system-wide perspective, additional safeguards should include proper use of passwords, removal of outdated software and unauthorized apps, adherence to regular backup procedures, and educating users not to open attachments or click links from unknown senders. Additionally, operating systems, browsers and antivirus programs should be updated to the latest version on all devices.

Also worth noting: Security shortfalls may be present in system integrations written in-house or by contracted developers.

In any event, “negligence gives cyber criminals the incentive to continue to launch ransomware attacks,” notes security website CSO.

And — as if on cue — a newly discovered form of ransomware may be released this month, reports TechRepublic. The malware, known as RedBoot, not only encrypts files but also permanently repartitions hard drives, rendering data unrecoverable. The alert advises businesses to back up workstations to some form of network or cloud storage, refresh all antivirus software definitions, and train users to avoid phishing scams.

A big ask

Hospitals have their hands full providing the best care possible for patients, around the clock, every day of the week. In that light, they shouldn’t be expected to shoulder the entire load of locking down data against an ever-expanding array of intruders.

Networking companies such as NetDirector have the expertise and capabilities needed to properly secure and integrate healthcare data. All of our certifications and processes (e.g., HIPAA and SOC2) are maintained above industry standards in a fully redundant, cloud-based platform. Healthcare clients put their trust in NetDirector to securely handle more than 10 million data and document transactions per month.

Although ransomware and related intrusions are real concerns, NetDirector stands ready to consult and assist in hardening defenses across the healthcare ecosystem.

For more information, please contact us or request a free demo.

Why EHRs Don’t Have to be a Hindrance

Doctors persistently claim that electronic health record (EHR) systems take up too much of their time.

Bearing out that assertion, a just-published study in Annals of Family Medicine found that a cohort of 142 primary care physicians spent more than half their workday interacting with their EHR during and after clinic hours. Worse, the physicians, who were retrospectively followed through EHR event logs over the course of three years, allocated two-thirds of their computer-facing time to clerical and inbox work.

A separate commentary earlier this year issued a stark challenge to the healthcare IT industry: “[Talk] to ten practitioners at random who are involved in day-to-day emergency medicine or primary care medicine, the guys and gals on the busy front line, and find two of them who are enamored with their [EHR] tools.” The author, small-town physician Kenneth Bartholomew, MD, describes systems designed around billing and collections functions. Such EHRs, he argues, lack the ability to actually improve the workflow of diagnosis and patient management.

Closing the gap on EHR drawbacks

The clearly frustrated Dr. Bartholomew concludes that current EHRs put the wrong tools in the hands of everyday caregivers. While EHRs help assemble patient history, along with physical and laboratory evidence, the technology requires doctors to “push the chain” of information from behind — rather than “pulling it from the front.”

Nonetheless, it’s also important to recognize EHRs’ positive impacts within a digital, connected healthcare environment. Evidence of benefits include:

  • cost savings derived from prevention of adverse drug events;
  • enabling access by emergency personnel to patients’ pre-existing health information (such as medication lists, allergies, and medical histories);
  • use of medical histories to remind physicians of the best methods of care for specific patients; and
  • improvement of reporting, investigation, response, and communication between public health officials and clinicians.

What’s more, EHRs have been shown to mitigate risk for healthcare providers and health systems by enabling evidence-based decisions at the point of care, aiding in research directed toward improvements in care, and preventing liability actions by documenting complete records of care and informed consent.

Also, significant, EHRs can help drive up patient satisfaction. More than 90 percent of patients report being happy that their doctor used EHR-powered e-prescribing capabilities — and that they rarely encounter prescriptions not being ready at their connected pharmacy.

EHRs and interoperability

Looking ahead, the federal Office of the National Coordinator for Health IT (ONC) has prioritized enhancing EHR usability, as well as facilitating seamless exchange of information among different EHR systems. In fact, the 21st Century Cures Act, enacted at the end of 2016, specifies the development of a national framework and common agreement to promote comprehensive network-to-network health data sharing. ONC will be organizing work in these areas and expects to have preliminary plans in place by next year.

NetDirector actively supports strong, automated integration of EHR capabilities throughout the healthcare ecosystem. Hospitals and physicians can deploy NetDirector’s HealthData Exchange to normalize data to standard HL7 and other formats to achieve EHR interoperability while removing the bottlenecks of traditional interfacing — all without adding hours to the physician’s already hectic schedule.

For more information, please contact us or request a free demo.