Desert Wells Family Medicine, a local Arizona medical practice, recently permanently lost its electronic health record system (EHR) due to a cyber-attack (reference). The worst part? They did have the EHR data backed up, but everything was still lost.
How could this happen?
In a growing phenomenon among cyber-attacks, the ransomware attack successfully encrypted both the original EHR files and the backup EHR files. While we often preach the importance of backing up essential data, in this case, even backups were compromised, posing a much larger problem.
Among the EHR data, the protected health information records of 35,000 patients were compromised. Sensitive data included treatment information, social security numbers, medical record numbers, billing account numbers, addresses, dates of birth, patient names, and more.
Despite all efforts to recover the compromised data, including hiring external specialists, nothing has been successful. The data remains lost. The practice has been forced to completely reconstruct its EHR records- a timely, costly, and grueling process.
How could this have been avoided?
In short, some ransomware attacks are unavoidable. However, many can be avoided. The process of encrypting both the primary EHR data and the backup EHR data was a two-part attack. With processes like high-end threat monitoring, it’s possible the attack could have been impeded before it reached the EHR backups. As with all organizations that are victims of ransomware attacks, it’s necessary to take a deep look in the mirror and evaluate organizational security practices.
Moving forward, this practice should focus on the following security improvements:
- Implement better endpoint protection, specifically, a solution with active ransomware-hunting functionality.
- Provide additional training and education to staff.
- Use a backup solution that is on a segregated platform.
If you are a medical practice looking to enhance your IT security, PK Tech can help. We are highly experienced working with medical practices and fully equipped to navigate ever-changing HIPAA laws. PK Tech owns Compliancy Group’s HIPAA Seal of Compliance. You can also check out our HIPAA Technology Survival Guide and 4 Quality HIPAA Resources for Your Business.
Reach out to PK Tech if we can help.