A NC-based family physician shares lessons learned after his independent practice was collateral damage in a third-party ransomware attack originating at a cloud provider.
January 24, 2023 – When Ed Bujold, MD, FAAFP, of Granite Falls Family Medical Care Center in North Carolina, found out in October 2021 that his practice had been impacted by a ransomware attack waged against its cloud vendor, he realized that he had three options.
One, close the practice and retire. Two, sell the independent practice that he had been running for nearly 40 years to a large health system.
The third option was to “dig in your heels and do whatever it takes to figure out how to keep the doors open,” Bujold said in an interview with HealthITSecurity.
Bujold chose the third option, electing to work through weeks of uncertainty without access to the practice’s EHR and practice management systems as the cloud provider worked with the FBI and a cybersecurity team to negotiate with the Russian syndicate that was holding its data for ransom.
“There is never a good time for this to happen, but this came on the heels of the COVID pandemic, which exposed primary care practices, particularly those that were independent, to significant financial vulnerability,” Bujold said.
In the months following the attack, Granite Falls Family Medical Care Center worked to re-establish cash flow while having to revert to paper records to keep operations running as smoothly as possible. By March 2022, Granite Falls Family Medical Care Center once again had a fully functioning EHR system.
Rather than keeping the valuable lessons learned throughout this ordeal to himself, Bujold wrote about the ransomware attack and how his practice handled it in a reflection piece published in the Annals of Family Medicine. In an interview with HealthITSecurity, Bujold expanded on his experience and shared details about the people and tools that helped his practice move forward. <Read More>
Michelle’s Take – The data you store in your vendor’s EHR is yours, so you need to protect it. Unfortunately, you cannot rely on a EHR vendor’s cyberliablity policy to protect your practice adequately. Cyber liability policies, including those that provide pre and post-breach services, are fairly inexpensive. Call if you want to know more.