Physicians’ efforts to protect patients’ private medical information could be in jeopardy as Texas medical practices — large and small — face an increasing cyber-attack threat that can leave health records vulnerable. The computer-hack threat, known as ransomware, is software designed to invade and block access to office computer systems that store patient information. To regain access, cyber thieves typically demand ransom payments in exchange for an encryption key to unlock the system. Reports of ransomware extortion have made national headlines and are now occurring in Texas at an increasing rate. Medical practices often are vulnerable to cyber-attack because of outdated computer systems and obsolete data security. The Texas Medical Association (TMA) considers ransomware a direct threat to patient care, according to TMA’s August Texas Medicine magazine.
“It impedes the ability to
take care of patients who are in the office, as well as those who call the
office,” said Matt Murray, MD, chair of TMA’s Ad Hoc Committee on Health
Information Technology (HIT). “At the end of the day, the physician is left
struggling to take care of patients who are sick without access to information
that is really needed.”
According to Texas Medicine, the FBI reported cyber criminals collected
$209 million in the first three months of 2016 by extorting various entities
with a locked computer server. The Texas Medical Liability Trust (TMLT), which provides medical
liability and cyber liability coverage for physicians, reports 12 policyholders
across the state reported receiving cyber extortion-related threats mostly within
the last two years. And in one case earlier this year, a physician alerted
TMA that his small South Texas practice was under ransomware attack. According
to John Southrey, TMLT director of product development and consulting services,
any medical practice connected to the internet is vulnerable to attack.
“They’re a target because
cyber criminals know that they don’t have those resources like some organizations
do. They’re kind of a training ground, or as some commentators have stated, ‘low-hanging
fruit’ for cyber criminals to be able to get into their systems. And it’s a
quick buck for these cyber criminals if their ransom demand is reasonable, such
as $500 or $600,” Mr. Southrey said.
TMA plans to raise physicians’
awareness of the threat of ransomware and will help them manage their security
and technology risks. Not only is security of health information important but
also a physician’s data breach might violate Texas law, potentially leading to
civil or administrative penalties. So TMA’s Ad Hoc Committee on HIT is monitoring
the development of the SECURETexas certification program, one potential avenue
to mitigate cyber-security risk. SECURETexas is the first state program of its
kind to certify that medical practices’ data privacy and security comply with
state and federal laws that govern the use of protected health information. In
the meantime, TMLT's cyber liability coverage for cyber
physicians’ expenses in case of an attack and will sometimes pay cyber
extortion funds to terminate a threat to physician policyholders.
Patrick Casey, a former meaningful
use and quality assurance specialist for the North Texas Regional Extension
Center, said, “Honestly, I don’t want doctors having to become experts in HIT
security. They’ve got enough on their plate to be doctors. We have to find a
way to continue to and even increase the support that we make available to the
health care community.”
Although no system is
completely cyber-attack-proof, Dr. Murray said a preventive strategy, including
a business continuity plan for technology, will give physicians a greater
chance to safeguard their patients.
“If the practice can do
that, they will not have to pay ransom, and the impact on patient care can be
minimized if the backup and restore tools are effective,” he said.