One of the largest cyber security incidents ever to occur happened just over a week ago. On Friday, May 12, hundreds of hospitals in Europe were affected by a malware known as WannaCry ransomware.
Ransomware is a computer virus that takes over a user’s computer and requires the user to pay a fee, or ransom, to recover access to the computer. Ransomware has been around for a while but what made last week’s attack alarming was the rate at which it spread. The attack crippled several European hospitals forcing them to divert patients to other facilities and it spread fear that US hospitals would be affected.
The infection began as a phishing email with an attachment that was opened by some unsuspecting person. Once the attachment was opened the virus spread throughout the system the computer was connected to. A phishing email is an email that looks legitimate and usually has an attachment or a link. The recipient of the email is instructed to open the attachment or click on the link, once they do, the computer is infected.
Hospital computers and information systems are high value targets for cyber criminals. Health care data is high value for a number of reasons. If a cyber criminal were to gain access to billing information they could illegally bill Medicare or other payers for services and would likely not be discovered until long after they received payment. An individuals health care information is protected by HIPAA and hospitals go to great lengths protect health information. If a cyber criminal were to gain access to a hospital’s information system the hospital could face civil and criminal penalty. Most importantly, hospitals rely upon electronic health records to assist in the provision of care. Patient’s care plans, allergies and medication lists all reside within the electronic medical if the system isn’t available, or corrupt, it can slow care to patients and a delay in care can negatively affect outcomes.
Cyber attacks are an ongoing threat. At work and home, each of us can protect our computers by not opening emails, especially attachments, if they’re not from a trusted source.
GVMH’s IT Department works diligently every day to protect our patients and to protect our systems. I can’t share all they do because that would create more risk. It would be like the jailer sharing the location of the keys to the inmates. I can provide a general overview of steps GVMH takes to keep our Information Systems and our patient’s information safe.
GVMH has a cyber security awareness and training program. GVMH has effective technical measures to protect computer networks, such as:
- GVMH utilizes spam filters to prevent phishing emails from reaching the end users and implement technologies to prevent email spoofing.
- Incoming and outgoing emails are scanned to detect threats and filter executable files from reaching end users.
- Firewalls are configured to block access to known malicious IP addresses.
- Antivirus and antimalware programs are set to automatically conduct regular scans.
- GVMH continuously backs up data.
- GVMH conducts an annual cybersecurity assessment—with network penetration testing—to identify vulnerabilities
Our highest calling is patient safety. Protecting patient information and having strong systems to protect our information systems is just one way we promote patient safety.