Self-Hosted EMRs Gain Viability in the Wake of the Change Healthcare Hack

If you’re a private practice, you’re right to be concerned about the impact to your business if your cloud hosted medical records go down.  For those unaware, Change Healthcare, a subsidiary of United Healthcare, suffered a ransomware attack that took down the use of the EMR and billing for thousands of medical practices. The American Medical Association put out a fantastic report detailing the impact for those that used Change Healthcare’s systems.  

The impact of the attack was massive: 36% of practices that responded to the survey have experienced a suspension in claim payments, and 31% couldn’t make payroll.  

When Change Healthcare paid $22 million in ransom to the BlackCat hacking group, the group disappeared.  A new group called RansomHub posted samples of their data and said that they were the ones who had performed the hack, and they had never been paid.  Spokespeople from United Healthcare said that they paid the ransom to keep the protected health information (PHI) safe, but here’s another example why paying a criminal ransom is no guarantee of safety.  Raids on ransomware groups by police forces have shown that the ransomware groups keep the data anyway.  That’s $22 million down the drain and over 2,000 practices have been significantly financially impacted. Wired has had great coverage of this event.

The sad reality that we find ourselves in is this: it’s going to happen again because there’s so much money to be made, and victims keep paying.

Is a private practice better off self-hosting their electronic medical records (EMR)?  If one of these affected practices had followed a cybersecurity framework (i.e. Center for Internet Security Controls v8) and self-hosted their EMR, they wouldn’t have been a good target.  A small or medium medical practice that follows the 3-2-1 backup rule with multi-factor authentication (MFA) would be able to recover from any attack much quicker so long as they employ a strong IT team.  The practice would be able to analyze router logs to definitively see if data was taken and how much.

The only economically viable attacks against a self-hosted EMR come from trying to hack unpatched and unsecured systems, a problem that modern IT providers have solved.  The practice of beating ransomware groups is following a cybersecurity framework and having good, regularly tested backups.  This makes the juice not worth the squeeze.

I’d love to see data from insurers on how many practices with self-hosted EMRs have been breached to make a more detailed comparison.   I would bet that self-hosted EMRs have a lower incident rate of ransomware than cloud hosted EMRs, making this decision economically necessary for small to medium practices.

‍