Don’t Get Taken Hostage: Practices Must Protect Themselves From Ransomware
Amanda Gutierrez, MBA
Ransomware is a particularly malicious type of illegal software. Hackers use it to essentially kidnap a computer system and then demand that the system’s owner pay a ransom, often in digital currency such as Bitcoin, to release it. After the hackers have received the payment, they provide a decryption key to return access to the owner — sometimes.
Are physicians at risk?
Ransomware attacks are more common in larger health care systems because of their size and income levels, but physicians’ offices are targets as well. Smaller offices are vulnerable both because of the quality and amount of available data on their computer networks. Many physicians’ offices are easy to infiltrate.
Ransomware typically enters a computer system or network when someone accidentally clicks on a bad link or attachment that appears legitimate. Recently, a small medical practice in Battle Creek, Michigan suffered such an attack, with devastating consequences. The attachment resembled a vendor invoice, but was actually ransomware, which then encrypted all the practice’s records. The office refused to pay the ransom, and the hackers responded by deleting everything. Some patients lost all or some of their medical records, and the practice eventually closed.
What can you do?
Here are eight tips to help you prevent, or respond to, a ransomware attack on your practice:
- Get Educated
All staffers should receive training about computer security practices within the context of HIPAA, but also within the context of hackers and ransomware. Teach them not to click on links in suspicious emails and not to download information from unfamiliar websites. New hires are required under HIPAA to receive privacy and security training; this training also should align with the practice’s information security policies and anti-virus procedures.
- Update Regularly
It is important to install software updates to fix bugs and vulnerabilities, improve administration-level access, strengthen firewalls and improve anti-malware and anti-virus software. When developers or vendors provide patches or updates, download them immediately and consistently.
- Establish a Disaster Response and Business Continuity Plan
Every physician practice should have a plan on how to respond to disasters — whether fires, floods or other catastrophes. Be sure to include hacking and ransomware attacks as a potential calamity. This means performing regular data backups, verifying backup integrity and ensuring backups are not connected to the networks they are backing up.
- Monitor Practices
Not only do you want to educate the staff on information security, you also want to make sure they are following protocol and adhering to those lessons. Medical practices should be able to monitor user activity in real time — or at least receive regular reports about how staff members are accessing data and whether they are following procedures. Integrate data security into your workplace culture.
- Designate A Compliance Committee or Staff Person
This person or committee’s responsibility will be to create compliance policies and procedures, as well as ensure that staff receives appropriate training and continuing education. Many experts suggest conducting an annual drill to practice for a breach.
- Review Your Vendors’ Qualifications
Most electronic medical record, portal and practice management software vendors should have security certifications. Are you sure the vendors you use do, and if so, which certifications do they possess?
- Update and Review The Practice’s Professional Liability Insurance
Unfortunately, many such policies do not cover for cyberattacks such as ransomware. But you may be able to buy coverage (see “To Pay or Not to Pay the Ransom”).
- Hire a Consultant
The stakes are high, and the topic is complicated and potentially time-consuming. If cost-effective, hiring an expert on health care cybersecurity can go a long way toward ensuring that your practice is as prepared as possible.
What could go wrong?
The modern world, with all its technological connectivity, is a dangerous place. The FBI indicates there are currently an average of 4,000 ransomware attacks per day in the United States.
If you intended to visit a place where the likelihood of being stalked, pickpocketed, mugged or kidnapped was as high as it is every day on the Internet, you would likely either not go or take serious security precautions. Keep this in mind and protect the safety of your practice and its patients.
Sidebar: To pay or not to pay the ransom
The FBI has guidelines on ransomware prevention and response, which can be found at Ransomware Prevention and Response for CISOs. One concern in paying ransomware is that the hackers will either not release the captive data or raise the ransom amount — the first demand being a fishing expedition to see how the business responds. The FBI does not recommend paying a ransom, but notes that it is a serious consideration requiring a look at all ways to “protect shareholders, employees and customers.”
Some insurance companies cover cyberattacks, including data breaches, digital security issues, cybercrime and hacking. If covered, the terms of the policy may have guidelines or requirements for whether to pay ransomware.
Most experts say to never pay. If you have appropriate up-to-date backups that are isolated from the affected network and a thorough disaster recovery plan, refusing to pay and dealing with the aftermath may be effective. But; if you don’t have protections in place and the alternative is losing all of your medical and financial records, you might decide payment is worth the risk. The best solution is to be prepared.
The Business Side of Running A Medical Practice
Kevin Omahen, CPA
Providing the best care for your patients is the most important obligation on which every health care provider is focused. However, for-profit medical practices should also look for ways to run a medical practice as efficiently and effectively as possible in order to build a strong company culture and maximize profits.
Although maintaining a certain amount of liquidity is a good idea, there are ways to put your business funds to work. You might want to consider opening a money market account to deposit your excess cash in order to earn interest on the money that you are not currently using.
Accounts receivable (AR) management is also an area that often gets overlooked and requires constant attention. These are, of course, the outstanding monies owed to the practice; but they are also a measure of how long claims are overdue. Practices need to set a target to keep the aged claims under control. Work hard to keep it down. Whether your billing department is outsourced or you have an internal staff member (or members) submitting billing, ensure that billing of claims are submitted as soon as possible. Additionally, take a look at the sophistication of your practice management system. Are you able to obtain all the reporting functions for your outstanding receivables in order to make sound financial decisions for your practice? Spending a little more on a sophisticated system could help you better understand what claims are open and manage your cash flows better.
Also, do not hurry to pay your bills. The idea here is not to intentionally miss paying bills on time, but rather to pay bills strategically so your practice can hold on to cash as long as possible. It goes without saying that you should not jeopardize your business or personal credit rating with late payments. But pay bills when they are due or just before — not after.
In addition, leasing medical equipment and your medical practice space can be more cost-effective than buying. However, there is no one-size-fits-all approach. The right answer may depend on your location, cash flow and business credit. Also, some equipment leases allow practices to buy the asset outright at the end of the lease.
Many medical practices increase business solely by word of mouth referrals from former/current patients. However, learning how to “sell yourself” is good advice for anyone running a business. To do so, a medical practice must develop a marketing mentality. This means that all aspects of your practice — how you treat patients from first contact to last, as well as ads, online activities and community presence — should have a focus on marketing.
Create a positive culture
What is distinctive about your practice? Maybe it is your specialty or unique office. Maybe your practice has a reputation for a specific characteristic or set of characteristics — no waits, friendly service, value-added perks. Create a distinguishing culture for your medical practice and develop it into a strength.
Another important aspect of this is your workplace culture. Good, reliable staff members are invaluable. Ensure that the work environment for your employees is upbeat and enjoyable. And, in addition to providing competitive pay and benefits, regularly recognize how important they are and thank them for a job well done. Patients may be coming into your practice nervous to hear a conclusion on the condition for which they are being treated. Having a warm and welcoming administrative assistant greet them and a calming nurse perform preliminary treatments goes a long way in a patient’s decision to continue using your practice. Building a positive work environment is the foundation for establishing these types of employees.
At the same time, acknowledge that your own time and energy are critical assets and an important part of the culture as well. Practicing medicine can be rewarding, but it can also challenge you mentally, physically and emotionally. Work efficiently, avoid unnecessary distractions and remember to take vacations and time off.
The value of your medical practice is so much greater than a mere sum of its parts. Nonetheless, when you find ways to keep all those parts running smoothly and in harmony, you will likely see a stronger bottom line.