Hackers Demand Ransom To Keep Medical Records Private

Author:Mr Stephen Bentfield and Stephanie D. Willis
Profession:Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally. This Bloomberg technology blog story describes some of the larger incidents where medical data has been held for ransom by hackers or even unpaid, disgruntled subcontractors.

In particular, the story provides the details of a recent breach of a small Libertyville, Illinois medical practice's server by bold hackers who gained access to patient data contained in stored emails and electronic medical records. The hackers encrypted and password-protected the files they accessed, and then posted a ransom note on the server demanding payment from the medical practice in exchange for the password to unlock the encrypted files. Rather than comply with the ransom demand, the small medical practice shut down the compromised server and called police.

Although storing patient data electronically has its benefits, it is important that medical practices remember that merely storing the data electronically is insufficient to protect the patient from potential identity theft or to comply with federal and, in many instances, state data security obligations. And one-time encryption is never enough. Hackers spend an inordinate amount of time searching for ways to circumvent security measures to access personal data with high monetary value, such as Social Security numbers and credit card numbers.

So what can be done to protect against such threats? While each medical practice should specifically tailor its information security plan to address the unique threats and vulnerabilities it confronts, practices should consider employing several strategies to reduce the risk of authorized persons gaining access to health records systems:

Install the latest updates and security patches for antivirus and anti-intrusion solutions, and, to the extent possible, encrypt patient data maintained by the practice (whether stored centrally on a server, or locally on a desktop PC, smart phone...

To continue reading