Self-Hosted EMRs Gain Viability in the Wake of the Change Healthcare Hack

Self-Hosted EMRs Gain Viability in the Wake of the Change Healthcare Hack

Business
Zach Launey
President
April 27, 2024

If you’re a private practice, you’re right to be concerned about the impact to your business if your cloud hosted medical records go down.  For those unaware, Change Healthcare, a subsidiary of United Healthcare, suffered a ransomware attack that took down the use of the EMR and billing for thousands of medical practices. The American Medical Association put out a fantastic report detailing the impact for those that used Change Healthcare’s systems.  

The impact of the attack was massive: 36% of practices that responded to the survey have experienced a suspension in claim payments, and 31% couldn’t make payroll.  

When Change Healthcare paid $22 million in ransom to the BlackCat hacking group, the group disappeared.  A new group called RansomHub posted samples of their data and said that they were the ones who had performed the hack, and they had never been paid.  Spokespeople from United Healthcare said that they paid the ransom to keep the protected health information (PHI) safe, but here’s another example why paying a criminal ransom is no guarantee of safety.  Raids on ransomware groups by police forces have shown that the ransomware groups keep the data anyway.  That’s $22 million down the drain and over 2,000 practices have been significantly financially impacted. Wired has had great coverage of this event.

The sad reality that we find ourselves in is this: it’s going to happen again because there’s so much money to be made, and victims keep paying.

Is a private practice better off self-hosting their electronic medical records (EMR)?  If one of these affected practices had followed a cybersecurity framework (i.e. Center for Internet Security Controls v8) and self-hosted their EMR, they wouldn’t have been a good target.  A small or medium medical practice that follows the 3-2-1 backup rule with multi-factor authentication (MFA) would be able to recover from any attack much quicker so long as they employ a strong IT team.  The practice would be able to analyze router logs to definitively see if data was taken and how much.

The only economically viable attacks against a self-hosted EMR come from trying to hack unpatched and unsecured systems, a problem that modern IT providers have solved.  The practice of beating ransomware groups is following a cybersecurity framework and having good, regularly tested backups.  This makes the juice not worth the squeeze.

I’d love to see data from insurers on how many practices with self-hosted EMRs have been breached to make a more detailed comparison.   I would bet that self-hosted EMRs have a lower incident rate of ransomware than cloud hosted EMRs, making this decision economically necessary for small to medium practices.

Get Experienced IT Services for Your Business

We believe in the power of proactive IT management. That’s why we provide comprehensive monitoring, security, and support to keep your business running smoothly and securely.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
latest blogs

Explore NRVPC Articles: Elevate Your Mindset.

Discover expert insights, tips, and strategies to help your business thrive in the digital age.

Help Desk
What is an IT Support Company in 2023?

Discover the key differences between Managed Service Providers (MSPs) and IT Support Contractors in the ever-growing IT support industry. Learn which model best suits your business needs for network security, proactive maintenance, and user experience in 2023.

read full blog
read full blog
When to choose an IT Contractor over a Managed Service Provider (MSP)

Explore the differences between Managed Service Providers (MSPs) and IT Contractors in this analysis. Learn when the MSP model works best for businesses, and why complex systems with unique needs may require IT contractors or in-house support instead. Find the right fit for your business technology management.

read full blog
read full blog