We are consistently reading about cyber breaches to large medical organizations, resulting in millions of dollars of damages. While these stories should concern everyone in the healthcare industry, quite often, clinicians develop a false sense of comfort that their small clinic is not a target.
THINK AGAIN!
A Toronto-based clinic suffered a ransomware attack earlier this year and has graciously offered to share their experience to inform colleagues of the imminent threat. The clinic comprises of two aspects, family practice and a rehab centre providing physio and chiropractic services. The clinic employs 12 people (doctors and supporting staff); the supporting staff is shared between the two sides of the clinic.
Five months ago, operations for the rehab clinic came to a dramatic halt as access to their on-premises EMR system was blocked by a ransomware attack. Computer screens displayed the ominous message informing staff that the system had been encrypted and they had to pay $75k US to get their data. With no access to their EMR system for client information, scheduling, and billing, business operations were crippled. The clinic promptly contacted their ‘IT guy’ and ultimately engaged a cybersecurity consulting firm to assist. The cyber security firm performed initial forensics and took lead in communicating with the hacker. The clinic faced a key decision - negotiate and pay the ransom or attempt to rebuild/restore their system. Unfortunately, their data backups could not be used to simply restore the system. Rebuilding meant that they would potentially walk away from $50k in billing that was locked inside the EMR system. The clinic decided to negotiate the ransom. Three weeks of discussion and numerous threats from the hacker resulted in the amount being lowered to $25k CAD. After five months of operational and cashflow challenges, the EMR was unlocked, and the clinic could function again.
However, the damage was done - financial, operational, and reputational.
-----------------------------------------------------------------------------------------------------------------------------------------
COST SUMMARY (CAD)
$25k – Ransomware Payment
$8k – Cybersecurity Consulting
$20k – New Security Controls
There is also an intangible cost that cannot be easily calculated around lost business and lost employees during the five months of reduced customer service and increased frustration.
All costs were paid ‘out of pocket’ as the clinic did not have a cybersecurity insurance policy.
------------------------------------------------------------------------------------------------------------------------------------------
As bad as this experience was, it would have been substantially worse if the attack affected the system used by the family practice. Having no access to patient information could have put patients’ lives at risk.
The healthcare industry is under attack. Hackers know the value of PHI and the criticality of medical systems. It is vital that clinicians view this threat seriously and understand that they are ultimately responsible for protecting both their computer systems and patient information.
LESSONS LEARNED
“We wish we would have reviewed our security regularly to make sure it was all up-to-date. Regretfully, we took an ‘if it ain’t broke approach’. Things are changing rapidly. Having an expert review our cybersecurity position and provide recommendations on a regular basis would definitely have been wise”.
Well Health and Source 44 Security can HELP!
