Stay up-to-date on the Cures Act and more industry news. Follow Nextech on LinkedIn.

«  View All Posts


Ransomware Attacks Happen Every Day, Is Your Practice Safe?

By: Charlsie Niemiec | September 29th, 2022

Ransomware Attacks Happen Every Day, Is Your Practice Safe? Blog Feature

Concerned about ransomware attacks? You should be. With over 66 percent of healthcare organizations reporting they experienced a ransomware attack in 2021, proactively protecting your patients’ data has never been more critical.  

Ransomware attacks of today  

2021 saw the most aggressive ransomware trends yet. Over 45 million individuals were affected by healthcare-focused attacks (up from 34 million in 2020). Additionally, in 2021, it took an average of 212 days to identify ransomware attacks and often took an average of 75 days to fully handle the breach. According to the U.S. Department of Health & Human Services, data breaches involving stolen login credentials could last up to longer — an average of 341 days.  

With ransomware attacks increasing and the length of them doing irreparable damage to those attacked, it’s important to protect and educate your practice now.  

What does a ransomware attack actually mean?  

Ransomware attacks that target EHR providers come from malicious software that threatens to publish or block access to data or a computer system. These attacks will encrypt the data or system and then attackers will demand a ransom fee with a specific payment deadline.  

In addition to being potentially reputation-damaging and lengthy to come back from, ransomware attacks are also incredibly expensive. In 2021 alone, according to IBM, the average cost per incident was $9.3 million with over 40 million patient records compromised.  


Who are the targets of ransomware attacks?

While ransomware can happen without a specific target in mind, cyberattacks often go after organizations perceived as having smaller security teams or organizations that hold sensitive data such as patient health records.  
For an industry example, the Eye Care Leaders EHR system experienced multiple ransomware attacks, which have impacted over 3.6 million patients’ protected health information so far.  

Major companies like Accenture, Acer, Bose, CNA Financial and Hanesbrands have all been affected by ransomware attacks too. In Q2 of 2022, Hanes couldn’t fulfill orders for nearly three weeks due to an attack — resulting in $100 million in lost sales.  In 2021, CNA Financial reportedly paid a $40 million ransom to restore access to its system.  

What does a ransomware attack financially do?  

Ransomware attacks can financially ruin organizations. For EHR systems, to ensure patient health information is protected to the highest degree, HIPAA developed four tiers of penalties that can occur for those who have a data breach:  

  • First Tier: $100-$50K per incident (up to $1.5M)  
  • Second Tier: $1,000-$50K (up to $1.5M)  
  • Third Tier: $10,000-$50,000 (up to $1.5M) per incident  
  • Fourth Tier: at least $50,000 (up to $1.5M) per incident 

Additionally, experiencing a ransomware attack comes with the cost of lost business. According to IBM, 38 percent of data breaches result in a loss of business.  

How can you actively prevent a ransomware attack from happening?  

By choosing a secure and compliant EHR, first and foremost, you are actively preventing a ransomware attack from hitting your practice. The more security and compliance-focused your EHR is, the more you know your data and your patients personal health information will be harder to breach.  


How to stay safe and compliant  

To ensure your practice and patients have the highest standards of privacy, security, and compliance in your EHR, it’s important to ask the right questions such as:  

  • Does your EHR system have built-in security features like multifactor authentication?  
  • How is their EHR data center protected?  
  • How is EHR data backed up and how often?  
  • What layers of security does your EHR provide?  
  • What is the plan of action with your EHR system in case of a ransomware attack or data breach disaster?  
  • Is your EHR Service Organization Control (SOC) 2 Type II Compliant or higher?  

EHR SOC 2 Type II compliance requirements mean that an organization keeps a high level of information security over a period of time while setting up a process and practice that guarantees oversight into everything — so any unusual, suspicious, or unauthorized activity is easily flagged.  
SOC 2 compliance impacts cloud service providers, SaaS providers, and organizations that store client information in the cloud. To ensure privacy and compliance, these reports prove a client or patient’s data is protected and kept private from unauthorized users (like cyber attackers). Currently, Nextech is at level SOC 3. SOC 3’s are always Type 2 reports, which means that Nextech has demonstrated that our security controls are designed correctly and have continued to function exactly as intended.  

Let Nextech protect you from ransomware attacks 

Nextech’s EHR offers built-in regulatory and security features (like multi-factor authentication), plus automatic compliance-based updates.  

Additionally, Nextech has a HIPAA-certified cloud data center, which has no less than five unique layers of physical security measures, integrating state-of-the-art-technology (such as proximity cards and biometrics) with traditional security measures (combination locked hardware cages, on-site security personnel, and uninterrupted video surveillance).   

Constantly monitored for potential threats, our data center has expert cybersecurity personnel always on-site—24/7. All cloud data is protected by multiple layers including redundant firewalls. Backups are performed daily and stored on on-site recovery disks as well as to a secure off-site location that allows for immediate emergency data recovery in the case of a catastrophic event or natural disaster. 

To avoid operational downtime, massive fines, reputational damage, and ransomware attacks themselves, partnering with a secure and privacy-focused EHR is the only way. Learn how Nextech can protect your practice, schedule a demo.