Ransomware breaches are becoming commonplace in healthcare settings, and this most recent attack is just another part of that pattern.
Allscripts is an electronic health records (EHR) platform that provides services to hospitals, pharmacies, and ambulatory services across the country.
In late January 2018, Allscripts was hit by a ransomware attack that shut down its Professionals EHR and Electronic Prescriptions for Controlled Substances (EPCS), among other services. Of the thousands of physician practices, post-acute agencies, and hospitals that use Allscripts, 1,500 organizations were affected by the attack.
Now, an affected organization is looking to take legal action. Surfside Non-Surgical Orthopedics, based out of Boynton Beach, Florida, is an Allscripts client alleging that the EHR left them without access to critical services from the date of the breach on January 18 through January 24. Surfside will potentially launch a class-action lawsuit against Allscripts for insufficiently monitoring its data systems in the cloud, which failed to prevent this attack from impacting clients.
Ransomware and HIPAA: More than Just a Data Breach
The Allscripts case proves, more than anything, that ransomware attacks can have multi-faceted repercussions on any healthcare business.
Affected organizations will need to deal with the fallout of ransomware on their operations, which can shut down a business or practice for days until service or access is restored. And if any protected health information (PHI) was involved in the breach–such as names, address, or medical records–organizations will also need to deal with incident management as per HIPAA regulation.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance on HIPAA and ransomware after a string of incidents in 2016. The guidance clarified that if a ransomware attack targets unencrypted or unsecured data, then the breach likely constitutes a HIPAA violation and must be reported.
When a breach occurs that affects more than 500 individuals, organizations are required, as per the HIPAA Breach Notification Rule, to notify those individuals within 60 days of the discovery of the breach. The breach must also be reported to HHS OCR on their breach-reporting portal, along with local law enforcement and news agencies. These breaches can escalate into HIPAA investigations and fines if OCR perceives that an organization has not made a good faith effort toward HIPAA compliance.
EHR Risks Only Growing…
Over the past few years, EHR platforms have been subject to greater risks than ever before. This is due in part to the value of healthcare data stored on these systems. PHI can sell for three to ten times more than financial information on the black market, which means that vulnerable healthcare data is low-hanging fruit for hackers.
Some industry best practices for maintaining the integrity of PHI, even if it’s stored on a cloud-based system such as an EHR, can be instituted in most practices. These safeguards include full disc encryption and off-site data backup. It should be noted though, that even with these measures in place, healthcare professionals can only mitigate the affects of a malware incident, not fully prevent them from occurring in the first place.
If an organization has been targeted for a ransomware attack, these measures can ensure that operations and access to data continues to flow smoothly–no need to resort to pen and paper when data can be accessed from a secure, off-site backup. But the data that’s been ransomed is still compromised, especially if that data was unencrypted.
Protecting Your Business
Using an EHR system is fast becoming a mandatory part of running a healthcare business. But that doesn’t mean you can’t prepare for future ransomware and data breaches right now. EHR and HIPAA compliance go hand in hand to protect your business.
As we mentioned above, off-site data backup and full disc encryption are keys to maintaining the security and integrity of PHI.
But you can take it one step further and even protect your business from liability in the event of a data breach caused by your EHR by implementing a HIPAA compliance program in your organization. In addition to addressing the legally required regulatory standards of HIPAA, you can ensure that the data you share with your EHR provider is protected with a business associate agreement (BAA).
A business associate agreement is a legal contract required by HIPAA regulation, which must be executed between healthcare organizations before ANY PHI may be shared. In addition to being legally required by HIPAA, BAAs are a powerful tool your organization can use to protect yourself in the event of a ransomware attack or data breach caused by your EHR platform.
If you have yet to execute a BAA with your EHR platform, click here to learn more. Implementing an effective HIPAA compliance program will give your practice everything you need to address the law, including fully documented BAAs.
HIPAA compliance gives your business the tools you need to maintain the security, privacy, and integrity of your PHI to avoid being exposed to HIPAA breaches and fines!
