My EMR has been hacked. What should I do?

David J. Goldberg, M.D., J.D.Dr. Derm logged into his office computer system, only to find a ransom note from a hacker, asking for money in exchange for the safe return of his patients’ records. While this might seem farfetched, this situation has happened to multiple small practices.  

Dermatologists in small practices often think they will not get hacked because they may not have troves of patient information or financial data. But this attitude is what makes them a target in the first place. Lax security, a lack of resources and general indifference make the perfect combination for an easy hack into any dermatology practice. “Most small practices use home-based level security, such as routers or access points like you would use at home. Conversely, they often have the kind of data that bigger hospitals have, but they don’t have the appropriate security. 

It is important to recognize that even though our dermatology offices may not have as many health records as a large health system, we probably are not the only target for the hacker.

Think of it this way: If the hackers hit 10, 100 or 1,000 small offices and aggregate the records, then it becomes a substantial amount of data to sell. Small dermatology practices have data sets that are attractive because they can be monetized. All of our offices maintain data on protected health information, personally identifiable information and payment information-each one of these sets is valuable because they can be stolen and monetized on the internet black market. Once hackers get into our computer systems, the data might be sold for identity theft, false billing for services or false prescriptions. And because larger organizations continue to improve security, smaller dermatology practices may become even more attractive targets.

But by taking some basic precautions and training staff to be vigilant about security, the majority of hackers can be thwarted.

Who are these hackers?   

The stereotype of a hacker might be someone working for the Russian mob. In some cases this may be accurate, but they can also be your own employees, disgruntled consultants or even a kid living next door who thinks breaking into networks is cool. It could also be a cyber vigilante attacking a practice because of ideological reasons or some sociological motivation. 

Hackers have different methods of gaining unauthorized entry, but the phishing attack is the most common. This is usually a legitimate-looking email with an attachment that, if opened, will place malware on the network that gives the hacker access. It has already happened to many of us when an unassuming employee opens an ill-intended attachment to an email that never should have been opened.  Phishing attacks can also occur via texts or phone calls.

More than 13,000 patient records-including patient names, addresses, dates of birth, social security and Medicare numbers, and medical billing records-were potentially compromised in a hacking incident at a Reston, VA -based dermatology practice. In a letter to their patients, officials from Professional Dermatology Care P.C. said they detected on June 27, 2016 that "criminals encrypted patient data via 'ransomware.'"

What should Dr. Derm do?

Dr. Derm is liable for both his own actions and the actions of his employees. A covered entity must have a privacy plan that includes appropriate sanctions for an employee violating the Privacy Rule or the entity’s privacy policies and procedures. The Office for Civil Rights (OCR) within the Department of Health and Human Services is the body that investigates, conducts compliance reviews, and educates if it is suspected that the covered entity is in violation of HIPAA.

If the OCR investigates and discovers that Dr. Derm was not in compliance, it will attempt to resolve the problem by: obtaining voluntary compliance, taking corrective action and/or a resolution agreement. Ultimately, the OCR is able to impose civil money penalties.

In light of the possibility of breaches, Dr. Derm has an obligation to adhere to HIPAA and keep his patients’ data safe. There are a host of methods by which this can be achieved, ranging from common sense solutions to more advanced technology-based solutions. These solutions need to be balanced with usability, however, so that safety practices are actually followed.

For example, requiring frequent password changes and making users choose complex passwords has had limited success in preventing unauthorized access-users are less likely to remember passwords and will write them down or forget them. And no matter how strong password protection is, it won’t prevent unauthorized access if a provider logs in, then walks away from a workstation, leaving the data open and accessible to anyone passing by-protection of data must also include procedures that staff actually follow.

Dr. Derm should protect his system and notify his patients and the authorities. He should not pay the ransom.