[BreachExchange] I followed all the rules and I still got hacked

Fri Feb 10 19:15:31 EST 2017

http://medicaleconomics.modernmedicine.com/medical-
economics/news/i-followed-all-rules-and-i-still-got-hacked

Last fall, on a typical busy Monday morning, with add-ons, walk-ins, and a
packed schedule, I started to notice my computer network was sluggish and I
was getting kicked off of my EHR several times throughout the day. We
verified that there was no issue with our internet service provider, so I
assumed that the sluggish network was a function of a busy Monday morning.

Later that week, as my IT person was installing new software onto my
system, he noticed that someone had logged onto my server and that we had
been compromised. Ransomware had been deployed on the server and all
workstations throughout the practice. Ransomware is a harmful type of
software that forces the victim to pay a fee in order to unlock the system
and retrieve their data.

We were, in other words, the victims of a cyber attack. Within minutes, we
completely shut down our system and disconnected it from the internet,
preventing any major damage and data loss to trigger the ransom. My major
concern at that point was guarding my patients’ protected health
information (PHI) as well as their identities.

The following morning, my IT person was at my office with a strategic plan
for how to deal with this cyber attack and implemented his response within
minutes of my approving it. I pulled out my HIPAA manual to make sure we
were following protocol. We notified local authorities, who advised us to
contact the FBI. We did so immediately. Then we began keeping a detailed
log of all events that had occurred and our plans for resolving the issues.

The next two weeks would be very stressful as we worked to reestablish our
network while guarding patient identities and PHI. I was angry and felt
victimized. I was worried about my practice, our systems and how we’d get
up and running again. But most of all, I was concerned about my patients. I
did not want their data compromised on my watch. Fortunately, none of the
data were accessed, as our old records were encrypted on the server while
our present records are on the cloud with our IT vendor.

Although I’m a busy physician with an urgent care practice adjacent to my
internal medicine practice, we were forced to close Friday through Sunday.
When I re-opened on Monday, it was with limited access to the Internet and
my EHR. In today’s world, our computers, tablets, and phones are our
lifelines. This event took us back 20 years to paper and pen for charting.

I do have insurance to cover what happened, but at the end of all of
this—between shutting down over a busy weekend, getting a new server up and
running and putting enhanced security in place—I am looking at a loss of
$50,000 to $60,000.

How could this have happened to me? I took pride in the fact that I had
protected my practice for years with a double firewall, the latest and best
anti-virus software, a HIPAA-compliant network and an IT person on retainer
who for years had kept my system safe.

In short, I did everything by the book and I was still hacked. It made me
realize that none of us are immune from a cyber attack. As a result of this
hack, I have established even tighter measures in my practice. I have set
all computers to automatic updates of software, blocked internet access to
unnecessary sites, and have retrained all employees to not open any emails.

I have regular communication with our IT professional, ensuring that all
activity remains safe and secure. Without that reliable IT assistance, I
would still be working to get my practice back online, months after the
attack. I couldn’t have done this alone.

We are exercising strict security measures in an effort to guard our
patients’ PHI as well as their identities. Passwords are changed at regular
intervals, and cannot contain words in the dictionary. All screens and
monitors are locked and secured when not attended by staff, preventing
security violations in our practice.

These measures had been undertaken prior to our cyber attack, but now have
been revamped further as we continue to make our patients’ well-being our
first priority.

I was glad that I had my HIPAA manual to turn to in the early days
following the hack. Understanding HIPAA compliance, conducting security
risk assessments on a regular basis and retaining a competent company
guiding your HIPAA compliance plan are essential in this day and age where
none of us are truly protected from a cyber attack. In the meantime, my
staff and I remain vigilant.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170210/72ce12c3/attachment.html>