Don’t get taken hostage: Practices must protect themselves from ransomware
Although ransomware attacks are more common in larger health care systems because of their size and deeper pockets, physicians’ offices are increasingly targets. Smaller offices are vulnerable both because of the quality and amount of available data on their computer networks — and because many physicians’ offices are easy to infiltrate. This article provides eight tips for preventing, or responding to, a ransomware attack, such as conducting regular software updates and monitoring staff use of online data.
Ransomware is a particularly malicious type of illegal software. Hackers use it to essentially kidnap a computer system and then demand that the system’s owner pay a ransom, often in digital currency such as Bitcoin, to release it. After the hackers have received the payment, they provide a decryption key to return access to the owner — sometimes.
Are physicians at risk?
Although ransomware attacks are more common in larger health care systems because of their size and deeper pockets, physicians’ offices are increasingly targets. Smaller offices are vulnerable both because of the quality and amount of available data on their computer networks — and because many physicians’ offices are easy to infiltrate.
Ransomware typically enters a computer system or network when someone accidentally clicks on a bad link or attachment that appears legitimate. Recently, a small medical practice in Battle Creek, Michigan, suffered such an attack, with devastating consequences. The attachment resembled a vendor invoice, but was actually ransomware, which then encrypted all the practice’s records. The office refused to pay the ransom, and the hackers responded by deleting everything. Some patients lost all or some of their medical records, and the practice eventually closed.
What can you do?
Here are eight tips to help you prevent, or respond to, a ransomware attack on your practice:
- Get educated. All staffers should receive training about computer security practices within the context of HIPAA, but also within the context of hackers and ransomware. Teach them not to click on links in suspicious emails and not to download information from unfamiliar websites. New hires are required under HIPAA to receive privacy and security training; this training also should align with the practice’s information security policies and antivirus procedures.
- Update regularly. It’s important to install software updates to fix bugs and vulnerabilities, improve administration-level access, strengthen firewalls, and improve antimalware and antivirus software. When developers or vendors provide patches or updates, download them immediately and consistently.
- Establish a disaster response and business continuity plan. Every physician practice should have a plan on how to respond to disasters — whether fires, floods or other catastrophes. Be sure to include hacking and ransomware attacks as a potential calamity. This means performing regular data backups, verifying backup integrity and ensuring backups aren’t connected to the networks they’re backing up.
- Monitor practices. It’s one thing to educate staff on information security; it’s another to make sure they’re adhering to those lessons. Medical practices should be able to monitor user activity in real time — or at least receive regular reports about how staff members are accessing data and whether they’re following procedures. Integrate data security into your workplace culture.
- Designate a compliance committee or staff person. This person’s or committee’s responsibility will be creating compliance policies and procedures, as well as ensuring that staff receive appropriate training and continuing education. Many experts suggest conducting an annual drill to practice for a breach.
- Review your vendors’ qualifications. Most electronic medical record, portal and practice management software vendors should have security certifications. Are you sure yours do and, if so, which certifications they possess?
- Update and review the practice’s professional liability insurance. Unfortunately, many such policies don’t cover for cyberattacks such as ransomware. But you may be able to buy coverage. (See “To pay or not to pay the ransom.”)
- Hire a consultant. The stakes are high, and the topic is complicated and potentially time-consuming. If cost-effective, hiring an expert on health care cybersecurity can go a long way toward ensuring your practice is as prepared as possible.
What could go wrong?
The modern world, with all its technological connectivity, is a dangerous place. The FBI indicates there are currently an average of 4,000 ransomware attacks per day in the United States.
If you intended to visit a place where the likelihood of being stalked, pickpocketed, mugged or kidnapped was as high as it is every day on the Internet, you’d likely either not go or take serious security precautions. Keep this in mind and protect the safety of your practice and its patients.
To pay or not to pay the ransom
The FBI has guidelines on ransomware prevention and response, which can be found at https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view. One concern in paying ransomware is that the hackers will either not release the captive data or raise the ransom amount — the first demand being a fishing expedition to see how the business responds. The FBI doesn’t recommend paying a ransom, but notes that it’s a serious consideration requiring a look at all ways to “protect shareholders, employees, and customers.”
Some insurance companies cover cyberattacks, including data breaches, digital security issues, cybercrime and hacking. If covered, the terms of the policy may have guidelines or requirements for whether to pay ransomware.
Most experts say to never pay. If you have appropriate up-to-date backups that are isolated from the affected network, and a thorough disaster recovery plan, refusing to pay and dealing with the aftermath may be effective. But if you don’t have protections in place and the alternative is losing all of your medical and financial records, you might decide payment is worth the risk. The best solution is to be prepared.
Visit our technology services page to see how we might be help you help you, or contact Mark Jensen on 973-298-8500.