Recent reports of hospitals infected with computer viruses have IT managers very worried as well they should be. EMR systems typically run over the same networks as other hospital functions, often leaving the door open to malware and viruses. In two recent examples, hospitals were crippled by what is known as ransomware.
Often emanating from Eastern Europe, ransomware hackers infiltrate a network and install software that locks access to data files. They then demand a ‘ransom’ to free up the files. Often, this is paid because other options are limited. Unfortunately, malware of this type has a lot of opportunity to infiltrate a hospital system with the large number of people on a network, the regular turnover of staff and systems that are in use 24/7.
Even the most secure systems are subject to misuse by employees and can become infected relatively easily. While we might want to blame digital intrusion on the system administrators, the most common methodology to gain entrance into a network is phishing. Phishing uses deception to get users to give up user names and passwords or download malware and is now rampant on the internet.
While we might assume that all of our employees are very savvy about phishing, likely many are not, especially because phishing has become very sophisticated. Here is an example: You get an email from FedEx that a package could not be delivered to you. This email looks like the real deal. It has the FedEx logo and the return address is something like FedExDelivery. You click on the link in the email to verify your information and the phishing software now has important information about you.
Other phishing examples are emails that pretend to be someone you know or a business that you work with. Another favorite is to offer something free like free access to an E-Book. All you have to do is set up a password to the site. You might be surprised at how many people will use the same password they use at work, giving away their login information.
So what is your hospital’s plan for protecting your EMR and for data recovery if it is hacked? Most facilities will say that they have redundant drives and redundant servers with regular backups but this has not always proven reliable. And paying a billion dollars to Epic doesn’t ensure 100% up time, as Sutter Hospital learned a few years back.
While no one can claim that their system can’t be hacked in a world where humans are involved, there are many steps that can be taken to improve your odds. These include replicating data in more than one location, hosting in secure data centers, having more than one path to data centers, and using mobile devices that are less prone to malware. Having replication in multiple locations and alternate access through satellite or cell connections can be a critical piece in assuring reliability in the face of hacking.