In today’s digital-dependent world, healthcare providers rely heavily on electronic record keeping to ensure both patient safety and compliance with government regulations. However, hospitals and facilities across the country are learning the repercussions that could occur should hackers gain access to those highly sensitive electronic records or worse: demand a ransom.
On February 5, 2016, hackers took control of the computer system at a small medical facility, Hollywood Presbyterian Medical Center, in California demanding a ransom for the code to restore the hospital’s access to the computer system. To maintain daily operations, the hospital staff reverted to manual record keeping using pen and paper to chart patient information and were forced to communicate using phone and fax. Patients were required to appear in person at the hospital to obtain tests results or other medical records. Ultimately the hospital paid nearly $17,000 to the hackers to regain access to their computer system almost 10 days later.
We are not immune to these threats in the southeast. A similar situation recently unfolded here in Louisiana. A local physician began receiving daily ransoms via a pop up on his computer. While he did not pay the increasing ransoms, he did hire a forensic computer expert, at great personal expense, who was able to recover some of his records. So, what should you do if you find yourself the target of a ransomware attack?
The FBI advises ransomware victims to contact their local FBI division to launch an investigation; however, according to a recent article, the FBI’s historical advice on the matter has been simple: “Pay up.” That is precisely what happened in the case in California. What precedent does this course of action set for the future of such acts of online piracy? While the answer to this question continues to unfold, one area of particular concern is HIPAA compliance in the midst of a digital hostage situation.
Hospitals and facilities must remain HIPAA compliant to protect themselves from the tremendous legal and financial consequences that stem from a privacy breach. In the instance of the Hollywood Presbyterian Medical Center attack, the hospital maintained operations during the attack by reverting to manual record keeping with pen and paper, and was in direct violation of the government’s regulation that hospitals must use Electronic Medical Records (EMR). The overall intent of HIPAA is to facilitate a patient’s access to his or her medical records. In this situation, Hollywood Presbyterian was requiring patients to appear in person to obtain test results and other medical records. Such measures could also be seen as a HIPAA violation as they created a delay in patient access to medical records. Only time will tell if fines are levied due to their reversion to paper record keeping in the heat of a ransomware attack.
At first glance, most healthcare providers may feel strongly opposed to the notion of giving in to hackers by paying a large ransom. Consider, however, that by not paying, a practice or facility could be forced to enact measures that may result in a privacy breach or a malpractice claim. The best course of action to prevent ransomware is to remain proactive and consult with an IT professional determine the best security measures for your practice or facility.
How LAMMICO Protects Policyholders
If a LAMMICO policyholder becomes the target of ransomware, we encourage a prompt incident report to a LAMMICO Claims Representative. LAMMICO policies include coverage for Cyber Extortion up to a limit of $10,000 per year for physician healthcare providers, $50,000 per year for healthcare facilities, and $100,000 per year for qualifying acute-care hospitals. Higher limits of Cyber Liability insurance, including Cyber Extortion coverage, are made available through our subsidiary insurance agency. To learn more, contact Carly Thames at 225.906.2062 or email@example.com.