Under Attack!: Theft Prevention and Data Backup


Theft Prevention and Data Backup

By now, most practices have implemented, or are in the process of implementing an up-to-date EHR. Electronic Health Records are no doubt a safer, more organized, and secure way of storing patient data. They won’t accidentally toss themselves into the waste basket, or document shredder. You don’t have to worry about thieves breaking into your practice and making off with armloads of encrypted data (provided your digital devices—laptops, hard-drives, tablets—are secure and never leave the office).

Still, EHRs are not invulnerable. Human error, freak power outages, and—you guessed it—cyber theft can threaten your practice’s health records. The healthcare industry is home to a lot of important data. It is moved around internally and externally, from one caregiver or specialist to another. If it is compromised, it can cost a practice dearly. Here are some common threats to think about, and some methods for mitigating them.

So much depends on the weather

They say you can’t adequately predict the weather. You might be asking why this idiom even matters. You probably thought we’d begin by tackling cybercrime. But what happens if a severe thunderstorm or heatwave knocks out your power for an indeterminate period? Or if that same thunderstorm persists for a few days, causing a flood?

Natural disasters are a nightmare. Floods, in particular, are among the worst, and can follow on the tails of many other destructive weather systems. Wind can be planned for, and so can high winds. Water is another story. A foot or more of water can knock out your practice’s servers, computers, and other highly valuable equipment.

Hospitals and larger practices often invest in UPSs (Uninterruptable Power Supplies), which allow valuable patient data to be saved in the event of a power loss, and allow the appropriate system shutdown sequence to occur in servers and other large data storage devices. Still, they aren’t immune to three or four feet of water either. Think about what steps you take after your cell phone falls into the toilet, or swimming pool. While you can’t pack your servers or UPS in rice, you can start air-drying them as soon as possible.

Whether you’ve got a flood or a simple power outage on your hands, having a backup generator on the premises can be a lifesaver. Of course, many small practices do not have the benefit of a large backup generator. In this case, once power is lost, and before your server battery dies, one person (or even several) must take down the names and contact info of your next several patients. Depending on the length of the outage, the next few hours, or even minutes becomes crucial to the functioning of your practice over the next several days. You must gather as much pertinent scheduling information as you can.

Data theft, and ransoming

The digital realm really is like the Wild West sometimes. If you follow the news, then you’ve heard about the many stories of cyber criminals compromising medical information. One thing we know for certain is they aren’t just out for social security and credit card numbers anymore. There have been cases where hackers successfully lock hospitals and private practices out of their servers, EHRs, and even e-mail systems. They then demand a ransom for allowing doctors and administrators back in, threatening to corrupt or delete patient records and payment information if this demand is not met.

It may sound like the scrapped premise to a Die Hard reboot, but it’s a very serious issue facing the medical profession. Hackers can infiltrate a system and encrypt its data, making it impossible for others to read. There is also the more familiar method: malware or a virus is sent in the form of an infected link, usually clicked on in an email. Once clicked, the virus spreads through the healthcare provider’s network. You’ve heard of viruses, malware, and spyware, right? Add another term to your cybercrime lexicon: ransomware

Physicians must work with IT professionals and staff to implement a strong security program for preventing and dealing with such an attack. For starters, internet connections should always be protected, and sensitive data encrypted. Virus protection should be updated on every device, and passwords changed periodically. There is also the option for a practice to purchase cyber insurance, which covers extortion and other liabilities, and protects network assets.

Backup, when and where you need it

Back-up files must be available in the event that physicians cannot access patient records. Many practices still back up patient information and other crucial data on portable hard drives, tapes, and discs. This is better than nothing, and can make all the difference in a worst-case scenario. Of course, now you’re back to the problem of loss, or physical theft. You must also remember that these mediums are subject to common erosion, and the occasional coffee spill.

In the modern age, many practices must seriously consider both offline and offsite backup. To clarify, offline backup refers to backup copies of data that are not live and running (backing up data to an external drive or server). Offsite backup refers to moving data to another location (an affiliate office, or a data center in another town or city). Your method of data backup depends largely on your budget, and also what type of EHR your practice uses (for example, a client-server-based system, or an Internet-accessible, cloud-based system).

The best weapon on the frontlines

…is your staff. This has been a recurring theme here on this blog, but maintaining a culture of integrity and responsibility at your workplace, while training your staff on IT and security protocols is imperative. More than just how to input and retrieve patient data, and what to do in the case of a breech or systems failure, your staff should be taught what to look out for when it comes to unusual or suspicious data, e-mails, or links.

Spotting these things on its own is not enough. Communication becomes key. Part of building a culture of responsibility means encouraging staff members to be proactive, and to speak up about any potential threats or issues they may perceive. Accessibility is vital. There should be positive relationships between each department, facilitating clear lines of communication between them.



Brian Torchin

| HCRC Staffing | |

– See more at: