Episode 66 - Hack Attack
Your data — and that of your patients — are prime targets for cyber criminals. With cyberattacks becoming more prevalent in healthcare, how safe is your data? Ethan Bing, practice administrator at Medical Colleagues of Texas, recounts his experience of dealing with a data breach firsthand. Learn how to keep your data safe, the importance of having a plan in place should your practice fall victim, and hear about the practice's transition to Intergy Hosted.
Joe: On this episode of "Putting Possibility Into Practice," cyber criminals are in hot pursuit of your data and your patients' data. It seems as if each day news of a cyber attack in the healthcare industry makes headlines. What can your practice do to be proactive in preventing data breaches? Do you have a plan in place in case you are attacked by a cyber criminal? And what happens when you and your practice fall victim to data thieves? We'll answer those questions and more with a practice who was victim of cyber criminals. This is "Putting Possibility Into Practice" and it starts right now.
I'm Joe Agostinelli, social media manager at Greenway Health and I welcome you to this episode of "Putting Possibility Into Practice." If you are a returning listener, we are glad you have made it back to our podcast and if you are a new listener, I invite you to subscribe on your podcast platform of choice and we'll have details on those a little later on in this episode. Ethan Bing of Medical Colleagues of Texas joins me on this episode of our podcast as we discuss cyber security and your practice. Ethan is the practice administrator at MCT of Texas who first hand went through a data breach. And Ethan, thank you for taking time out of your day to join me.
Ethan: Thank you for having me back.
Joe: And you just alluded to it, you've been on the podcast before, but for those who may not recall, a little background of the practice that you're with.
Ethan: Yeah. So, again, we're a practice that's out here in Katy, Texas. We're right outside of Houston. We were established back in the '80s, but we have physician roots in the region going back over 100 years. We're a 11 doc multi-specialty group, focused in primary care and OB-GYN. And just to give you a bit of reference for our size. In 2018, we had over 32,000 unique patient visits and as of today, we have about 70,000 patient accounts in our system.
Joe: So a tremendous growth in what, 32,000 unique patient visits and 70,000 patient accounts in the system. Obviously, the importance of the security of that patient data is high on your guys' priority.
Ethan: Yeah, absolutely. I mean, first of all, Joe, it is the law. But ultimately, there's a myriad of consequences that patients could face with poor information management on our part. I don't even have to go into that. But truly the way we see it here is that it's ultimately about patient respect. You know, the physician-patient relationship remains sacred in large part because of that security and safety that's implied by the visit and by us establishing that relationship.
Joe: And let's go back in time. And now MCT of Texas was a victim of a data breach, correct?
Ethan: We were unfortunately a couple of years back, but I do remember it like it was yesterday. Physicians had come to me and said, "Hey, our system is lagging." So I called Greenway support, we logged into the servers and found a bunch of rogue accounts. I remember being terrified as we had to pull the plug on our system. It was probably a Tuesday or Wednesday and I had no answers for our staff or for our physicians on really what was going on, what we were doing or when we could come back, get our system back up.
And so, over the next year, we spent time sending out over 50,000 patient notifications. We had to pay for credit monitoring for all those that signed up. We had a third party call center for at least three months contracted to help us with our response and, of course, going back and forth with reporting to the OCR. We're very fortunate and happy to say that we got through to show there was no negligence, but still the cost in terms of blowing through our cyber security insurance policies and the brand...the tarnishing on the brand from us letting down our patients really hurt. We were lucky that there was no obvious indication that our patient data was taken or used. And based off of the very little feedback from patients in terms of having issues with potential information out in the public. Again, we're very lucky. It could've been much worse, but still it's something that was not fun to deal with, that's for sure.
Joe: Now, prior to the data breach, did you already have or the practice already have a process in place or a plan in place in the event of such a breach? Or was it, you guys, you know, this happened, you recognized there was a problem and went into response mode?
Ethan: Yeah. So we did have a policy in place. But honestly, nothing's going to prepare you for the months and months of headaches and the unique day to day situations that you face when you go through this. You know, we were very lucky to have a wonderful firm representing us and helping us through the process. But ultimately, like I said, you just can't be prepared enough.
Joe: And you alluded to, you know, contacting Greenway when your physicians first saw there seemed to be a problem. How does the practice partner with Greenway now, and how did you partner with Greenway at the time? Has it changed at all with the solutions that you're using?
Ethan: Yeah, so we were first on our own servers with Intergy. But we did move to the IOD, Intergy On Demand, hosted solution after the breach. Right when it happened, we were very fortunate to have our field rep, Tony, at the time, come out and kind of talk through the different options that we had, either rebuilding our servers or switching to the hosted solution. But it was obvious decision to move to IOD due to the many benefits, one in large part due to the security experts that Greenway is able to provide that, you know, a practice of our size and even bigger, can't afford to have experts of that caliber, you know, working on our systems every day. So it's been great.
Joe: So what advice would you give other practices to prepare for and, you know, put into place some sort of a plan to respond to a data breach?
Ethan: I think at first people need to understand that, hey, you know, hindsight is 20/20 and you can't go back after it's happened. And that no system is 100% safe. You know, access and security are tradeoffs, and having good access is not worth the consequences of poor security. So ultimately what I would advise is to at least get a third party assessment of your systems, bias is blinding. And before our incident, you know, I was thinking that, you know, that could never happen to us, that we're completely safe. But at the end of the day it's good to have somebody that you pay to tell you one way or the other.
And then the last thing I think is really important is to take a look at your cyber security policy. Like I said, or may have said, we blew through ours. And it seems like a lot when you're signing up for it. But the premium difference, at least in our upgraded policy was quite low compared to the extra coverage you get. So perhaps spend time looking at how much it truly costs to respond to a breach and make sure you have coverage across that cost.
Joe: And what has MCT learned, you know, from the breach?
Ethan: That data security is becoming incredibly complex and expensive, and that it's going to continue on that trajectory. You know, small and medium-sized practices don't have the capabilities that are required to be able to protect against the new cyber criminals and tactics that are out there. And so finding ways to outsource that security to the experts is key to be able to keep up. I think that's why our partnership with using IOD and Greenway has been so important in the past couple of years. It's allowed us to take a step back and spend time focusing on what we do best, which is caring for patients, not just protecting data.
Joe: And you talked about policies and procedures, you know, obviously in place and I can only imagine, you know. What was it like instituting new policies and procedures following the breach and how has the staff reception been to, you know, obviously something new following the breach?
Ethan: Yeah. Glad you brought up staff because really, it's something that I'm very fortunate. Our staff are absolutely wonderful. They took the breach in stride. I'm very proud of how they stuck in there and responded when patients called that were rightfully unhappy. Kind of getting through, dealing with that, trying to run a practice at the same capacity that we were running it before the breach. And then implementing new policies and procedures which take more time and more energy and attention that detract from your work day. You know, we did upgrade things. For example, we put our password update requirements on an uneven cycle so that it makes it very difficult for users to use the same password on every system, which improves our security. And then I'd like to tip my hat to Greenway. They've done a lot as well in terms of improving it. IOD, for example, now locks after 15 minutes of inactivity. So it gives me the peace of mind if a staff member has to rush away and forgets to lock their system, it will be protected.
Joe: And what was that transition like? You just mentioned the IOD. What was that transition like? Excuse me, to the IOD Intergy hosted. Was there any downtime in the practice at all in getting everything transitioned or how did that go?
Ethan: Yeah, so I like to boast that at least I think we were the fastest conversion in Greenway history. I was just blown away with the support that we had in this terrible time with going from our onsite systems to IOD. I believe it was four days that it took to get us on that system. Of course, we had to have our systems offline. So if you're converting now, it may be a bit different, but I doubt the level of support would be any friend. We had a lot of help and a lot of access to support even today, with making sure that the IOD is working well.
I'd also like to note that one of the biggest learning curves was teaching staff that are maybe less tech savvy on how to use remote desktops. But there were a lot of unexpected benefits that came with the solution that made it that investment in teaching much worthwhile. For example, there were no more routine Intergy upgrades that we had to do on our 60-plus workstations. We didn't have to do routine server maintenance, and of course, it gets easier offsite access for our physicians that are in the hospital. So overall, it's been absolutely great.
Joe: And what advice would you have for other practices who may be considering that hosted service?
Ethan: I would first consider the true cost of providing adequate data security and comparing it to the cost that you'll have to pay to get on IOD. Also look at how much time you'll save with not having to continue to support your own servers. Ultimately, I think the cost advantage is there with just those time savings. But when you get the security benefits, it seems like a no brainer to me.
Joe: Well, Ethan, I want to thank you for your time out of your busy day and discussing this all important topic with us and some great information for practices out there who, if they have not found themselves in the same boat as MCT of Texas with a data breach, very well someday could. So hopefully, some of the information that you shared will help them one way or another. Thank you, again.
Ethan: Yeah, thank you, Joe. Enjoyed it.
Joe: And once again, that was Ethan Bing, the practice administrator of Medical Colleagues of Texas. And I invite you to visit their website for more on their practices at www.mctkaty.com, www.mctkaty.com. And for more information on Intergy Hosted and some of the other solutions that we talked about on this episode of ''Putting Possibility Into Practice," I invite you to visit our website at www.greenwayhealth.com. I'm Joe Agostinelli, the social media manager at Greenway Health and I thank you for tuning into this episode and a reminder that you can subscribe to our podcast on your platform of choice. We are on a number of platforms including iTunes, Google Play Podcast, stitcherfm.radio, SoundCloud, Spotify, Libsyn, iHeart Radio, TuneIn Radio and look for more platforms coming soon.
This has been another episode of our podcast ''Putting Possibility Into Practice." Thanks for listening.