Cyber Threat Puts Patient Records at Risk
Physicians’ efforts to protect patients’ private medical information could be in jeopardy as Texas medical practices — large and small — face an increasing cyber-attack threat that can leave health records vulnerable. The computer-hack threat, known as ransomware, is software designed to invade and block access to office computer systems that store patient information. To regain access, cyber thieves typically demand ransom payments in exchange for an encryption key to unlock the system. Reports of ransomware extortion have made national headlines and are now occurring in Texas at an increasing rate. Medical practices often are vulnerable to cyber-attack because of outdated computer systems and obsolete data security. The Texas Medical Association (TMA) considers ransomware a direct threat to patient care, according to TMA’s August Texas Medicine magazine.
“It impedes the ability to take care of patients who are in the office, as well as those who call the office,” said Matt Murray, MD, chair of TMA’s Ad Hoc Committee on Health Information Technology (HIT). “At the end of the day, the physician is left struggling to take care of patients who are sick without access to information that is really needed.”
According to Texas Medicine, the FBI reported cyber criminals collected $209 million in the first three months of 2016 by extorting various entities with a locked computer server. The Texas Medical Liability Trust (TMLT), which provides medical liability and cyber liability coverage for physicians, reports 12 policyholders across the state reported receiving cyber extortion-related threats mostly within the last two years. And in one case earlier this year, a physician alerted TMA that his small South Texas practice was under ransomware attack. According to John Southrey, TMLT director of product development and consulting services, any medical practice connected to the internet is vulnerable to attack.
“They’re a target because cyber criminals know that they don’t have those resources like some organizations do. They’re kind of a training ground, or as some commentators have stated, ‘low-hanging fruit’ for cyber criminals to be able to get into their systems. And it’s a quick buck for these cyber criminals if their ransom demand is reasonable, such as $500 or $600,” Mr. Southrey said.
TMA plans to raise physicians’ awareness of the threat of ransomware and will help them manage their security and technology risks. Not only is security of health information important but also a physician’s data breach might violate Texas law, potentially leading to civil or administrative penalties. So TMA’s Ad Hoc Committee on HIT is monitoring the development of the SECURETexas certification program, one potential avenue to mitigate cyber-security risk. SECURETexas is the first state program of its kind to certify that medical practices’ data privacy and security comply with state and federal laws that govern the use of protected health information. In the meantime, TMLT’s cyber liability coverage for cyber extortion covers physicians’ expenses in case of an attack and will sometimes pay cyber extortion funds to terminate a threat to physician policyholders.
Patrick Casey, a former meaningful use and quality assurance specialist for the North Texas Regional Extension Center, said, “Honestly, I don’t want doctors having to become experts in HIT security. They’ve got enough on their plate to be doctors. We have to find a way to continue to and even increase the support that we make available to the health care community.”
Although no system is completely cyber-attack-proof, Dr. Murray said a preventive strategy, including a business continuity plan for technology, will give physicians a greater chance to safeguard their patients.
“If the practice can do that, they will not have to pay ransom, and the impact on patient care can be minimized if the backup and restore tools are effective,” he said.
TMA is the largest state medical society in the nation, representing more than 49,000 physician and medical student members. It is located in Austin and has 110 component county medical societies around the state. TMA’s key objective since 1853 is to improve the health of all Texans.