As health care gets more connected, the volume of data is growing at exponential rates.  Providers, patients and payers all want one thing:  instantaneous access to secure health data.  What does it take to make protected health information (PHI) available at the touch of a button?  It takes the right light-weight, HIPAA-compliant health data storage application hosted at the right geo-redundant data center.

“We create health data storage and availability solutions for hundreds of acute and ambulatory care centers around the country,” says James E. Hammer, VP of Product and Program Management at Harmony Healthcare IT.

“Because we’re preserving critical clinical data elements for 25 years or more, our clients require not only the right database structure and user interface, but, also an elastic, scalable data environment that won’t run out of storage space or experience a power outage.”

HHIT is the maker of HealthData Archiver^®, a HIPAA-compliant, long-term health data storage platform.  HHIT data analysts extract information from legacy systems and then migrate and normalize it in a relational database to make it accessible in an easy-to-use, browser-based viewer for years to come.  For security, HHIT utilizes Data Realty, a data center located in South Bend, IN, which has Tier III static UPS power design and 2N redundancy while running at an average PUE of 1.35.  This is the facility where servers and other critical equipment components are stored, maintained and accessed to ensure top performance.

The colocation of data is essential to supporting the big data initiatives of healthcare delivery organizations today.  The robust power grid utilized by Data Realty in the Midwest means that HHIT client PHI has a safe and secure home that is maintained by experts, 24x7x365.  Data Realty specializes in maintaining an environment which helps health care companies comply with HIPAA privacy & security and other industry regulations.

There’s a lot that happens behind that click of the button to access stored data. While depersonalized Big Data can be used to analyze health issues that can make a difference in the world, the accurate and immediate access to one patient’s historical electronic health record can make a world of difference in his/her care and life.

For more information about HealthData Archiver^® and HHIT’s data availability strategies, visit www.HealthDataArchiver.com.  To learn more about Data Realty, visit www.datarealty.com.

Editor’s Note: This blog was updated from a previous post published on October 13th, 2016.

During the sales process, we’re often asked what makes Harmony Healthcare IT different from other clinical archiving vendors.  The answer comes pretty easily:  it’s because we’re not a company driven by what to get done as much as we’re driven by why to do it in the first place.  When you believe passionately in your “why” and can be innovative with the “how” like we have been . . . then the “what” of product features flows pretty naturally.

Our Mission

Our mission is to preserve vital information so that lives may be improved.

At one level, our mission speaks to the lives of the providers and staff who utilize our products.  We improve their lives by making information they need to do their job readily accessible – whether that’s for clinical treatment or eDiscovery.  At another level, we’re improving the lives of patients.  We do this by preserving their full patient narrative with 100% accuracy as it was presented to us from the legacy system we’re decommissioning.  By making this historical data readily available to caregivers, we’re helping to support fully-informed, proper treatment decisions. This is especially important in the cases of mental health and oncology, when having a comprehensive context of care history could make a world of difference.

There are also some specific points about our people, our product and our process that further differentiate us from all other vendors in the industry.

Our People  We are data experts.  We say right on our home page that we “get” data – both figuratively and literally.  With a deep bench of senior-level technical resources, we are able to conceptualize data mining, mapping and archiving strategies that make sense for today’s healthcare landscape.  That might mean something as simplistic as single-sign-on access to archived information form within  the active hospital information system.  It might mean adding a layer of data lake storage for raw data elements to be used in future analytics projects.  Or, it might manifest as continuity of care document (CCD) delivery of key historical clinical packets that are delivered to the provider at time of care in his active electronic medical record system.  When I tout that we’re experts, I’m also saying that it is our people doing the work.  We literally “get” the data from a variety of applications and platforms ourselves versus outsourcing extractions overseas or asking the client to do it to our specification.  We are healthcare experts.  Our leadership team is comprised of individuals whose careers have been committed to working with clinical and financial data and software product development in both acute and ambulatory care settings.  Since the organization’s inception, we have focused on the healthcare market exclusively, honing our specialization as each year goes by and staying up to date on data availability strategies, interoperability and other integration initiatives.  From our industry-connected senior management team to our certified project managers to our friendly customer service analysts; the team is responsive, results-oriented and committed to being experts with health data management every step of the way.

Our Product  Since the genesis of our HealthData Archiver^® product, we have successfully built a data management platform that leads the industry in innovation, making data highly available to those who need it for treatment and eDiscovery.  HealthData Archiver^® is a light-weight application that is database and vendor-neutral.  It requires access only to the Internet and to a portable document format (PDF) viewer to be used. All data sources within HealthData Archiver^® can be accessed from a single screen.  Minimal end-user training is required. We designed HealthData Archiver^® this way – to be intuitive – so that historical records could be accessed “simply” over time as staff comes and goes during the retention period of a medical record (which can be upwards of 25 years).  Our intent was not to re-create a complicated, menu-driven, full production system.  Our intent was to create a simple viewer that allows costly full-production legacy systems to be retired and historical records made available in a variety of ways to those who need it.

Our Process  As a LEAN organization, the Harmony Healthcare IT team has archived millions of patient records and terabytes of data in a very systematic way, constantly looking for ways to reduce waste or improve process.  We efficiently execute while providing scalable solutions that will handle future growth as new legacy data sources are added to the healthcare enterprise archive. We employ certified project managers who have built repeatable processes and templates for data archival.  Our technicians are constantly building out new tools and scripts to reduce processing time and improve accuracy for data transformation.  We follow an agile software development methodology so that new product features or enhancements to the user interface can be brought to market quickly.  Process is what makes us go, and, we are committed to always improving it.

So, if you’re a stakeholder at a hospital or health system looking for a clinical archiving vendor, take a look at Harmony Healthcare IT, the makers of HealthData Archiver^®.  As you work with us, you’ll see that the “why” of what we do drives us each day not only to be on time and on budget with managing your health data, but, also to be accurate and secure.  Put our people, our product and our process to work for you.  Ultimately, it will improve your daily work life.  More importantly, it could also improve or save the life of a patient.

Tom Liddell is the CEO and Managing Partner of Harmony Healthcare IT.  He brings 30+ years of health IT experience from a variety of companies focusing on clinical software development, health information exchange and diagnostic laboratory and blood banking services. Liddell is bending the cost curve for health systems, hospitals and practices daily by helping them with data extraction, migration, retention, interoperability and analytics.

Harmony Healthcare IT, the makers of HealthData Archiver^®, preserves vital information from legacy patient and employee systems.  The company primarily helps health systems to decommission replaced HIS, EHR, LIS and practice management systems as well as general accounting and HR/Payroll systems. The benefits include a reduction in technical risk, IT labor and maintenance costs.

Editor’s Note: This blog contains content from an earlier post from July 25th, 2016.

The Research Findings on EHR Replacement

A recent KLAS research study, that included 400 c-suite and IT leaders from community hospitals of 200 beds or fewer, reports that 32 percent are replacing EHR systems and 68 percent are considering a change.

This study aligns with the 2018 Black Book Research report that states: Thirty percent of ambulatory practices with over 11 clinicians expect to replace their current system by 2021 for customization issues.  The report notes that highly functional, highly customizable integrated EHR, Practice Management, Revenue Cycle Management and ICD10/ Coding products are proving to be the sought after technology solution of choice for groups and clinics with 12 or more practitioners according to the nearly 19,000 total EHR users responding to the six month client satisfaction poll released on April 16 of this year.

In a related study, Black Book’s 2018 survey of healthcare consumers identified that 91 percent of patients under 50 years old gravitated toward digitally based practices, particularly those with advanced features, connectivity with other providers and comprehensive portals which give them easy access to managing their health via phones and devices.

Creating a Health Data Life Cycle Management Strategy when Replacing an EHR

There are regulatory, consumer and advancing technology-related reasons behind the decisions to replace a current EHR. We work with physician practices, hospitals and large health systems every day to help determine what to do with the legacy data during a system replacement.

In most cases, it is cost prohibitive to migrate all records from a legacy EHR into a new go-forward EHR. That means a strategy must be put in place to manage the records that don’t get converted.  The benefits of creating a strong legacy data management strategy include

• cost reduction
• risk mitigation
• compliance with both security standards and record retention mandates
• simplified access to data
• consolidation of decade’s worth of data from disparate software applications into a secure long-term storage and retrieval center.

Harmony Healthcare IT‘s HealthData Archiver^® is a leading solution for hospitals and medical practices faced with system replacement, acquisition or migration.

Is your team ready to create a legacy data management strategy?

Our team of data experts at Harmony Healthcare IT developed a process that has helped hundreds of ambulatory and acute care organizations evaluate their legacy clinical, financial, human resources and ERP system portfolio to create a Health Data Life Cycle Management Strategy that works. The process guides providers through a system inventory, financial forecast and system prioritization for decommissioning legacy systems enterprise-wide. It provides details to outline a five point strategy that is customized for each organization and rounded out with a commitment for collaborative execution. Perhaps the best part of the strategy is that it identifies significant areas to mitigate risks and provide cost savings.

Regardless of where your organization stands in terms of keeping your current EHR or replacing some or all of its systems, it is important to include a strategy for the complete life cycle of the data in your care — from creation to archival to destruction — all according to your record retention policy.

We’re here. We’re ready.  Contact a consultant from Harmony Healthcare IT.

A new report by Verizon claims that healthcare is the worst industry in terms of stopping insider data breaches. Healthcare employee errors and malicious activity account for about 56% of data breaches, the only industry to top the 50 percent mark with employees.

The report recommended that the healthcare industry institute full disk encryption to protect sensitive healthcare information on devices and put in place policies and procedures to monitor access to protected health information (PHI).

We agree. There needs to be more security measures in place to protect health data. We also extend this thought to include not only current records, but legacy data as well.

In fact, Harmony Healthcare IT recently became the first discrete data archiving company certified by FairWarning to implement its audit platform for monitoring the long-term security of historical patient and employee record storage.

For more information about how this partnership adds another layer of security to your legacy health data, check out our recent blog.

Outdated Systems can be Vulnerable

In our work helping healthcare organizations of all sizes archive legacy data, we see common security issues as a result of outdated systems and too many data silos that need to be protected. The main issues include:

1. Unencrypted data in transit – a lot of legacy applications are running on really old technology that create a multitude of vulnerabilities, especially when in transit.
2. Unsupported operating systems – Microsoft Windows 2003 is still out there without any patches. Healthcare organizations are faced with some tough choices to ride it out and cross their fingers that nothing happens.
3. Insecure legacy data applications – we see many applications that do not have the back-end features and functions such as audit logs, password strength, resets and screen locks that would meet NIST or HITRUST certification.
4. Outdated security protocols – for older systems which leads the application to auto-negotiate to the lower system’s capabilities.
5. Unregulated back door access – mainly as a result of acquisitions and sometimes from self-developed systems that have vulnerable back entry points long after the developer is gone.

Archiving legacy data takes the vulnerability out of your environment by shoring up legacy data applications into one, secure system. Think of your applications as a building. You’ve got a lot of doors and windows you need to secure. If you have 40 applications and each is an island with a door or window, some have bad locks, some do not have locks at all.  Think about having all of your legacy systems in one building that is a highly secure environment. Makes sense, right? Here’s a starting point.

Four tips to Excel at Legacy Data Management and Defend against Cyberattacks:

1. Get an inventory – Make sure you have a complete inventory of each application and the operating system that it is on. Seek out every clinical, financial, inpatient, outpatient, administrative and ancillary system.
2. Basic Discovery – Once you have the inventory, do some fact checking to determine which operating systems the applications are on as well as the size and type of system.
3. Prioritize – Look at the risk associated with each system and also look into contract renewal dates and support costs.
4. Source a Vendor – Look for a vendor with broad enterprise experience to help do the heavy lifting as well as have the technical experience to archive all types of databases. Look for vendors with HITRUST certification.

The move to retire legacy applications and move the data to an accessible archive is an important step toward securing your organization’s health data. The results will support higher security for your data and also provide additional benefits such as reduce costs, minimize risks, eliminate issues, simplify access and merge data silos. Retiring legacy applications into one secure archive provides a solid and secure step in the right direction.

Harmony Healthcare IT is a FairWarning Ready Healthcare Data Archiving Partner.

FairWarning^® is a registered trademark of FairWarning, Inc.

Ready?  We are.  Contact us.

Balance is important.

As the volume of healthcare data continues to skyrocket, the industry is in a full speed ahead mode.

Did you know that healthcare data is one of the fastest segments in the digital universe? Health data grows at 48 percent each year compared to 40 percent for the overall digital universe.

Our team is in it. Since 2006, we’ve worked with hundreds of software brands, billions of records and petabytes of data.

We’ve grown strategically and organically by developing a team of data gurus and savvy thinkers. We collaborate to solve complex clinical data migration issues, and equally as important, have a company culture where everyone knows and cares about each other.

It’s all big stuff. And, we’re on point.

In recent reports by HIMSS Analytics and CHIME, they suggest that vendors that acknowledge the need for intuitively designed products that integrate appropriately with legacy systems are likely to gain – or maintain – their lead in the health IT sector.

Check.

We’re focused on the industry, innovation, interoperability and integrating talented team members into the mix. In fact, last year we added many new full-time employees and doubled our internship program with opportunities for eight bright college students.

We are transparent with each team member and continuously strive to build a learning organization so our team members can grow professionally and personally.

Our top organizational strengths as reported in a recent employee survey include:

1. Vision, Mission and Goals are clear to team members
2. Management and Leadership support for the team
3. Teamwork and Colleague Interaction
4. Innovation – employees make suggestions and are heard
5. Company Pride — our team is proud to work here

We take the time to help new employees feel like part of the team. This includes an onboarding strategy and offering lunch-and-learns with a cross-section of team members.

We have several annual events that provide opportunities for team building. This includes: family outings to baseball games, an opportunity to participate in local charity walks, volunteering with local organizations to help the community during the holidays, recognizing work anniversaries and playing a monthly round of “Who’s That Team Member?” where we guess based on an employee providing three clues and/or a baby picture.  C’mon… who doesn’t love some of that?!

We recently updated our career listing section on our website and look forward to connecting with people who are a good fit. If that might be you, please take a look.

More than four of every five US physicians (83%) have experienced some form of cyberattack, according to research from the American Medical Association (AMA) and Accenture. The AMA/Accenture survey results reinforce the fact that small and medium-sized practices — not just big groups and healthcare systems — are now targets of cyber thieves. To see the full report, click here.

As the entire healthcare industry continues to move toward interoperability and increased sharing of protected health information across providers, smaller practices and clinics face the same cybersecurity threats as larger health systems.

Couple that with the United States having the most data breaches of any country by a large margin and that healthcare jumped to the number one most attacked industry in 2017, and it’s no wonder healthcare providers from every size organization are ramping up their cybersecurity defenses.

It is interesting that the 2010 security recommendations from The U.S. Department of Health and Human Service (HHS), through the Office of the National Coordinator for Health Information Technology (ONC) have stood the test of time and remain solid action steps for ambulatory groups to take. We’ve listed the top ten recommendations below. For the complete report, click here.

Top ten security practices for small healthcare groups

1. Use strong passwords and change them regularly
2. Install and maintain anti-virus software
3. Use a firewall
4. Control access to protected health information (phi)
5. Control physical access (aka – protect your server’s location)
6. Limit network access
7. Plan for the unexpected
8. Maintain good computer habits
9. Protect mobile devices
10. Establish a security culture

One important step your group should take immediately

One of the easiest tools to aid in your cybersecurity strategy is creating a legacy data management plan to reduce exposure, secure historical records in a protected archive and maintain access to the records should they be required in the future for eDiscovery or other requests. As practices grow and technology evolves, there often are vulnerable, outdated systems housing protected health information that are essentially sitting ducks for cyberattacks.

Considering the cost benefits of consolidating legacy systems and the added security of having less systems at risk, it makes sense to archive as much legacy data as possible into a single, secure archive.

We recently presented information at HIMSS18 about the security benefits of archiving.

Click here to see the video and download the white paper.

Then, connect with our team for more information about how we can help your practice shore up your legacy data and defend against unwanted cyber activity.

There is a debate in healthcare IT: Should the future of electronic medical records evolve with a comprehensive health record or connected health record model? Both claim the CHR acronym, but, there are some significant differences in terms of the promise and the reality of implementation.

Let’s take a minute to look at the two schools of thought.

First, the comprehensive health record focuses on collecting more data on the patient and saving it in one giant health record that — in theory — can be shared across different providers when needed. The benefits of this approach take into account expanded data points including care delivered outside the hospital, such as telehealth.

Critics of this approach say that one system cannot truly collect or house the multitude of data from different points of care available today — including patient-generated health data and genomic data — and that this approach limits the opportunity for shared care planning and coordination, family caregivers and non-clinical settings of healthcare. They say interoperability is a national priority precisely because no single vendor EHR system is comprehensive, and there should be interoperability across the myriad data types, sources, authorized users, and use cases.

In contrast, industry analysts claim the connected health record would provide the dynamics of an interactive, learning health system. Patients, providers, population health agencies, registries, payers, researchers, social service agencies, community centers, and accountable care organizations all would have access to interconnected systems and records. This approach suggests real-time access and updates that would provide greater opportunities for adaptive rather than reactive care.

For example, a chronically ill patient who develops a new infection would benefit from that information being immediately transmitted to the primary doctor, specialists and family caregiver who all would participate in the care plan.

Reference Source:

https://www.emrandehr.com/2018/03/26/comprehensive-health-record-vs-connected-health-record/

Both models are largely in the beginning stages and will take a lot of heavy lifting as well as industry cooperation to move forward.  It seems the bottom line is that the future of medical records is expected to provide a wider breadth of data points to support better care outcomes.

Archiving Supports the CHR or the CHR– Whichever Format Becomes the Standard

Harmony Healthcare IT is tuned in to this industry issue because we wholeheartedly agree that everyone will benefit from the full patient narrative.  As healthcare providers move forward with system replacement and technology advancements, our team is focused on providing a secure solution for maintaining access to legacy health records.

Our HealthData Archiver^® supports record retention requirements and provides long-term, secure access to historical records that contribute to a more robust care plan.

HealthData Archiver^® offers the flexibility necessary and ensures critical health data is available when, where, and how it is needed. This improves workflows, provides accurate data for patient care and supports efficient eDiscovery.  There are numerous features to HealthData Archiver^® that support the instant accessibility of patient or employee records for a healthcare organization. Learn more here or contact us to discuss our solution and how we contribute to the CHR with our CCHA (Comprehensive, Connected Health Archive)!

Healthcare providers face technology transition points which demand action. This could be a new EHR platform, a merger or acquisition which requires pro-active planning for integration and other scenarios. Getting out in front with a technology roadmap is a smart, proactive step in IT stewardship that could save time, reduce overall costs and negate future obstacles.

Last year, we announced an exciting partnership with Commvault (NASDAQ: CVLT), a global leader in enterprise backup, recovery, archive and the cloud for the healthcare market. This partnership offers healthcare organizations facing M&A, EHR system changes and security concerns with solid options for managing historical data beyond the costly option of migrating all of the information. In addition to data management and protection, customers using the Commvault Data Platform with HealthData Archiver^® gain increased analytics capabilities by having data from decommissioned applications available for indexing and reporting through Commvault Software, as well as expanded eDiscovery and search functionality.

In this quick video, hear from Commvault Product Manager, John Valutkevich as he discussed how healthcare providers — specifically those facing mergers and acquisitions — need support from a team focused on cost reduction, increased security and decommissioning opportunities. Plus, hear how Commvault clients are enhancing their security strategy by archiving and pro-actively decommissioning legacy EHRs.

Our own Scott Kidder, Vice President of Business Development, shares some insights in this video about how HealthData Archiver^® is a key tool for healthcare providers who are migrating to new EHR systems and need a solid and secure plan for their historical data that needs to be preserved.

We welcome you to contact us and we can walk through your specific needs. Our team can help you navigate system replacement and M&A while keeping your legacy data secure.

About half of middle market healthcare executives plan to merge or acquire other organizations in 2018, according to a survey by Capital One Healthcare. Keeping with the upward trend from the past several years, healthcare in general has started the year with the biggest bang in the past 12 years as reported by Bloomberg.

The ongoing pressure to reduce prices is often the driver to pick up volume and market penetration by being part of a larger group which offers better reimbursement rates. There also is a growing interest in broadening the scope of care offered within one health system. Read more here.

The Goal

With this broad market consolidation, there is a focus on creating a single patient chart. There are clearly benefits in terms of patient care, but the reality is that there are numerous IT hurdles to connect the go-forward EHR with the legacy medical record to give the user the seamless opportunity to access a complete patient narrative.

The Hurdles
The biggest issue in trying to consolidate data from a health system into a single legacy patient record is that there is data in a variety of database formats (i.e., DB2, Cache, MUMPS, Cobol, AS/400, etc.) across numerous systems.  In those systems, various file types (i.e., jpg, tiff, pdf, rtf, etc.) also exist.  Once the variety becomes manageable, there are the challenges associated with data matching and mapping.  Reconciliation of the master patient index, medications, problems, allergies, etc. must all be tediously and carefully addressed and validated.

The Difference

While these legacy data management hurdles are cleared routinely at Harmony Healthcare IT, as a company that embraces LEAN methodologies, we stepped back and asked ourselves whether there was a better way.  We challenged ourselves to solve a bigger issue of making the data readily and easily available where it’s needed, when it’s needed and how it’s needed.

So, we developed a Four Step Data Availability Plan:

1. Extract.  This entails getting the data out of the legacy EHR or ERP systems.  This is often where the hard work happens, depending on whether the system is remote-hosted, if the database is encrypted or a host of other potential issues for unlocking the data from the application.  We don’t leave this work for the client to do themselves or for the client to request of the legacy vendor.  When it comes to data extraction at Harmony Healthcare IT, we take the lead and we get the data.
2. Transform.  Once the data is extracted, it must be transformed and loaded into a new repository.  This is where our tool, HealthData Transformer, comes into play.  It allows us to make the ETL process more efficient.  It also minimizes the level of transformation needed to reduce the opportunity for data corruption
3. Archive.  Next up is long-term, HIPAA-compliant data storage that will meet medical record retention requirements over time.  Considering the vast amounts and variety of data types being stored, the archive must be flexible.  This is where Health Data Archiver excels.  We store data, no matter where it came from, as close to the native format in which it came – as discrete data, images or scanned documents. We also build in workflows for the various user types, from HIM or clinical to legal, revenue cycle management or Human Resources.
4. Enable.  The most exciting and differentiating of the four steps is enablement.  This is what allows the data to be available and actionable through interoperability.  That might include making the legacy data readily accessible from within the current EHR through Active Directory Single Sign On (SSO), or, pushing the data out in a variety of formats (JSON, CCD, CDA, HL7, CSV, and more) for use in population health, research or health information exchange.  The options for tapping into the legacy data are endless, including, perhaps, on-demand ADT queries or other creative options that work at a particular site.

Legacy Data Availability and Accessibility

There is not a one size fits all answer for legacy data availability, but HealthData Archiver offers the flexibility necessary and ensures critical health data is available when, where, and how it is needed. This improves work flows, provides accurate data for patient care and supports efficient find-ability of records.  There are numerous features to HealthData Archiver that support the instant accessibility of patient or employee records for a healthcare organization. Learn more here.

Getting Started

Is your organization in merger and acquisition mode? Are there multiple legacy EHR or ERP systems in your IT portfolio that must be addressed and consolidated to save on maintenance costs, reduce technical risk and comply with medical record retention requirements?

Our team can help with a data availability plan for your legacy systems.

Editor’s Note: This blog contains content from an earlier blog post from February 28, 2017

Early cybercrimes of the 1980’s, like the “AIDS” Trojan (also known as “PC Cyborg”), triggered a payload claiming that the user’s license to use a certain piece of software had expired, encrypted file names on the hard drive, and required the user to pay $189 to “PC Cyborg Corporation” for the means to unlock the system. Today, Ransomware attacks are exponentially more brutal and often lock up servers from the entire organization with ransoms of several million dollars. Some companies, especially healthcare systems, pay the ransom because access to their electronic medical records literally is life and death.

Healthcare is a popular focus for Ransomware attacks because unlike credit cards or bank accounts, medical records cannot be easily closed and restarted elsewhere. Experts report that while a credit card nets $6 on the black market, a medical record can garner between $50 -$250. Some say healthcare organizations are less prepared than other industries for these technology attacks, with vulnerable systems and less than stringent protocols for guarding PHI.

“In today’s connected electronic environment, healthcare organizations are big targets for phishing attacks, ransomware attacks and unauthorized third-party network hacking,” says Rick Adams, Vice President of IT and Chief Security Officer at Harmony Healthcare IT. “IT teams need to be prepared like never before. It’s not a matter of “if” there will be an attack, but “when” — and the entire organization needs to be trained to be on-guard and prepared.”

Phishing for Dollars

Ransomware essentially is a virus that is transmitted through email attachments. Often, an unsuspecting employee will click on an attachment and unknowingly launch a virus that can attach to the network and encrypt all of its files. Likely a pop up will launch on the screen instructing the user that there is a ransom for the code needed to unlock the files. Essentially, one bad move by one employee can shut down an entire organization.

About one in every 965 emails is expected to be “phishing” which means, looking for someone to bite and open the virus-infected email. The average cost to recover from a phishing attack is upwards of $600,000 according to industry experts.

How to Protect Your Healthcare Organization from Ransomware Attacks

1. Prevention –
• Keep your organization’s anti-virus protection services up to date. That said, just like vaccines, anti-virus protection only protects your healthcare organization from currently known viruses and attacks.
• Utilize better email filtering programs to scan for problem emails before they get to users. We recommend not accepting email from domains that are under 72 hours old and to strip away the most likely infected email types: .exe, .scr, .zip and .pdf.
• Consider creating a geo-fencing strategy and not accepting emails or web links from countries where you are not doing business.
• Purchase any web domains that are similar to your organization’s name, since sometimes attackers will create email or web links that look very similar to the real company domain name to trick employees into opening it.

2. Create a Human Firewall – Provide ongoing training for employees about the dangers of phishing emails. Employees should understand that they should not open attachments or click on website links from unknown domains. Some organizations launch fake phishing campaigns to identify and retrain employees who click on potentially harmful email attachments and links. Read more information about free phishing training.

3. Back Ups – While the current files on your network are at risk, ransomware gurus have done their homework and sometimes set an attack to lay dormant for several days, so that when it launches it infects the network and the backups. Many healthcare organizations today have a multi-tiered approach to their back up strategy that includes keeping file history for 30-60 days and utilizing multiple back up methods and offline locations. Storage, backup and recovery strategy and execution are more mission critical today than ever before.

4. Limit File Sharing Access – Do not give every employee in the organization full access to the complete network. It makes sense to invest the time upfront to have a permission system in place to allow workflow productivity, but limit exposure to enterprise-wide network risks. If the unlikely event of an attack does happen, the ransomware can only attach itself to the parts of the network where the user has permissions.

5. Vette the Vendors – Outside contractors and business associates are predicted to be responsible for allowing up to 20 percent of all ransomware attacks. It is critical to ensure your vendors have a solid virus protection plan in place and follow HIPAA guidelines for compliance and security of PHI. Further, seek vendors who are HITRUST certified and meet the industry’s best practices for information security practices. For more information on HITRUST, see this blog.

6. Stay up to Date on Latest Emerging Attacks – Have a dedicated team within your organization that researches new products and services to better protect your data. Join InfraGard – the collective effort between IT professionals and the FBI, and provide an easy way for employees to report suspected phishing emails. Participate in webinars and industry conferences for new information.

The Future of Healthcare Cybercrimes

“Some organizations are already taking healthcare knowledge and thinking of ways to apply it in security. Tools developed to deal with human disease outbreaks might be applicable to containing computer viruses. One such protocol, developed by the World Health Organization in the aftermath of the Ebola crisis, encourages data sharing during pandemics to facilitate better response coordination. Systems for sharing data on healthcare industry computer virus outbreaks could provide similar benefits, but most companies have historically swept these incidents under the rug to avoid embarrassment.” – reports Will Greene, digital health entrepreneur and researcher in a recent online article in Techonomy.

Like many emerging technology issues, it makes sense to work together within your organization as well as with industry professionals, and in this case, law enforcement to steward your organization through new territory. IT security cannot be overlooked and a health audit of your email and data systems can be a good start. Every employee must be informed and trained to understand the risks of how a simple click here could be a multi-million dollar mistake that could temporarily wipe out the entire organization.

Rick Adams is Vice President of IT and Chief Security Officer at Harmony Healthcare IT (HHIT).

Since 2006, health IT analysts at Harmony Healthcare IT have extracted demographic, financial, clinical and administrative data from hundreds of healthcare applications- both ambulatory and acute. Headquartered in South Bend, Indiana, the company’s mission is to preserve vital information that will improve lives. Harmony Healthcare IT employs experts in data extraction, migration, retention, integration and analytics to provide its clients with trusted solutions. Working with hundreds of software brands, billions of records and petabytes of data, Harmony Healthcare IT — with its product, HealthData Archiver^® — provides clients with access to historical records. Simply.

Editor’s Note: Some content is from a blog originally posted on June 9, 2016,