<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Ransomware in Orthopaedics: Part 2</span>

Ransomware in Orthopaedics: Part 2

Welcome to our two-part series on ransomware in orthopaedics. It's critical for offices to understand the threat that ransomware poses to the security of their electronic health record and computer systems. The good news is, you don't need to be a cybersecurity expert to understand the basics and take steps to protect yourself and your patients. This week, we're examining ransomware attacks on orthopaedic practices in the past year and steps your practice can take to protect itself. To access part one of this series, click here.


Aren’t smaller and private practices safer?

Although ransomware attacks against corporations and hospital systems get lots of media attention, any healthcare practice can find itself at risk. Privately owned and smaller orthopedic practices are no exception. On November 21st, 2019, a privately owned group in Texas was attacked. Fondren Orthopedic Group was able to restore their system and launch an investigation, which determined that no medical or personal data was extracted from the system. However, the attack damaged patient names, contact details, diagnoses, treatment information and health insurance data. Additionally, the practice had to notify over 30,000 patients about the breach.

Another attack had already taken place earlier in November against Central Kansas Orthopedic Group. The practice did not pay the ransom and was able to restore its system from backups. Although no records were removed as determined by a third-party investigator, unauthorized persons did have access to the medical and personal data of patients for a short amount of time. The practice notified over 17,000 patients about the breach, had to increase its security measures and protocols, and offered patients identity theft protection services through an industry partner.

Finally, on January 9th, 2020, Ronald Snyder MD located in New Jersey reported a ransomware attack. A single computer was infected with ransomware that encrypted select patient files with information including name, address, birth date, phone number, and insurance identification number. An investigation with a third party was unable to determine whether anyone was able to access the encrypted information before the system was restored. The small practice offered all patients one year of identity restoration services, and put together recommendations for all patients to freeze their credit and protect their identities.

How Can I Protect My Practice?

Jason Schreffler, Implementation Support Specialist with Exscribe, says these five tips will help protect yourself and your practice against ransomware attacks:

  1. Secure all Remote Access Configurations with a virtual private network (VPN) instead of open remote desktop access. If open remote desktop is required, limit and specify which IP addresses are allowed to access your site.
  2. Ensure all PCs are always fully up to date with Windows updates and patches.
  3. Any Windows 7 or Windows 2008 R2 machines should be replaced as soon as possible, as these models are currently most vulnerable to attack.
  4. Investigate adding a comprehensive anti-virus/anti-malware software package to your machines. Sophos EndPoint Protection and Webroot Secure Anywhere are good places to start.
  5. Change passwords for all users every 90 – 180 days and require a high level of complexity. Passwords changed less frequently are easier to crack.

Schreffler began working with Exscribe in April 2004, supporting the technical needs of orthopaedic practices across the country. In his time with Exscribe, most cases of ransomware attacks that he has consulted on were the direct result of cracked passwords and unsecured remote access configurations. He recommends replacing machines and updating them regularly because attacks can have more devastating consequences when machines are out of date. Additionally, anti-malware software can assist tremendously in catching attacks as they occur. His most important advice for practices looking to protect themselves is as follows: “Don’t assume your office is safe!”


If you enjoyed this series, you can subscribe in the side bar at right to get more educational articles like this delivered to your inbox every week. Thanks for reading!