An Arkansas-based surgery center was recently hit by ransomware that not only shut down access to some electronic patient data but also rendered imaging files, including X-rays, inaccessible. The incident points to the need to carefully assess risks to all the diverse systems in use at healthcare organizations.
The breach at the Arkansas Oral & Facial Surgery Center is listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website as a hacking/IT incident involving a network server and affecting 128,000 individuals. As of Oct. 6, the incident was the seventh largest breach reported so far this year to HHS' Office for Civil Rights, according the so-called "wall of shame" tally.
Arkansas Oral & Facial Surgery Center says the apparent motivation behind this incident was "extortion, and not the theft of patient information" and noted that except for "a relatively limited set of patients," its patient information database was not affected by the ransomware. Imaging files, such as X-rays, and related documents were targeted rendering the imaging files and documents inaccessible.
The exposed files included attachments and radiographs that might include demographic information such as patient names, addresses, dates of birth, and Social Security numbers and clinical information such as diagnosis, treatment plans or conditions and other information such as health insurance information. The center says it has since implemented "a new record system" and is making available to affected patients 12 months of free identity repair and credit monitoring.
Ransomware attacks have targeted imaging systems at other organizations as well. At least two unidentified U.S. hospitals reported that their imaging systems from Bayer AG had been infected by WannaCry ransomware attacks back in May.
All healthcare organizations and their business associates need to have a comprehensive information security management program in place that addresses threats, including ransomware. Essential steps include:
Limit access to all types of patient files to only the minimum necessary and provide access only to those who need it to perform their job responsibilities.
Log access to all such patient files, and then ensure someone has responsibilities for reviewing the access.
Keep systems patched and updated.
Use intrusion detection and intrusion prevention software.
Ensure the organization's employees, as well as the staff of their business associates, have regular training and are sent reminders about preventing ransomware attacks, such as by avoiding falling victim to phishing schemes.
Read full article at link below: