The decision to shutter Brookside ENT and Hearing Services, based in Battle Creek, Michigan in the aftermath of the attack appears extreme. But it's an example of the distress many healthcare entities -- especially small and mid-sized providers -- are facing as ransomware attacks continue and hackers become more sophisticated.
As reported by GovInfoSecurity, the two-doctor practice lost access to patient medical records, billing, scheduling and other critical data after ransomware attackers encrypted the data. Rather than pay a ransom to get a decryption key or attempt to restore the data, the physicians decided to retire early and close down the practice for good.
When it comes to the kinds of cyberattacks hitting entities, "ransomware is number one right now. It's getting uglier out there, not better," says technology attorney Steven Teppler, a partner at the law firm Mandelbaum Salsburg P.C. Smaller healthcare entities that have more limited security resources appear to be among the most vulnerable.
While ransomware attacks are menacing entities across all industries, "healthcare organizations are perhaps the lowest hanging fruit because of the immediacy and severity of the effects -- inability to treat/diagnose patients, which in turn can endanger health," he says.
The attackers that hit Brookside ENT and Hearing Center demanded a $6,500 ransom for the decryption key, according to local news site WWMT West Michigan. A Brookside ENT and Hearing Center office worker who answered the phone on Tuesday confirmed that the practice was shutting down permanently, as a result of the attack.
Even if a victim of ransomware decides to call it quits, as Brookside ENT and Hearing Center has done, that doesn't absolve it of its regulatory obligations to safeguard patients' records, and it is still open to fines and other punitive actions.
So how can healthcare entities avoid the devastating outcomes from ransomware attacks? Make sure your practice has an ongoing back up procedure, so it can restore records should an attack occur. A daily or weekly backup would be the goal, so that the practice can easily rebuild its patient information. To learn more about safeguarding your practice, contact the HIPAA compliance experts at HIPAAcraticRx.