Ransomware is a particularly malicious type of illegal software. Hackers use it to essentially kidnap a computer system and then demand that the system's owner pay a ransom, often in digital currency such as Bitcoin, to release it. After the hackers have received the payment, they provide a decryption key to return access to the owner — sometimes.
Are physicians at risk?
Ransomware attacks are more common in larger health care systems because of their size and income levels, but physicians' offices are targets as well. Smaller offices are vulnerable both because of the quality and amount of available data on their computer networks. Many physicians' offices are easy to infiltrate.
Ransomware typically enters a computer system or network when someone accidentally clicks on a bad link or attachment that appears legitimate. Recently, a small medical practice in Battle Creek, Michigan suffered such an attack, with devastating consequences. The attachment resembled a vendor invoice, but was actually ransomware, which then encrypted all the practice's records. The office refused to pay the ransom, and the hackers responded by deleting everything. Some patients lost all or some of their medical records, and the practice eventually closed.
What can you do?
Here are eight tips to help you prevent, or respond to, a ransomware attack on your practice:
- Get Educated
All staffers should receive training about computer security practices within the context of HIPAA, but also within the context of hackers and ransomware. Teach them not to click on links in suspicious emails and not to download information from unfamiliar websites. New hires are required under HIPAA to receive privacy and security training; this training also should align with the practice's information security policies and anti-virus procedures.
- Update Regularly
It is important to install software updates to fix bugs and vulnerabilities, improve administration-level access, strengthen firewalls and improve anti-malware and anti-virus software. When developers or vendors provide patches or updates, download them immediately and consistently.
- Establish a Disaster Response and
Business Continuity Plan.
Every physician practice should have a plan on how to respond to disasters — whether fires, floods or other catastrophes. Be sure to include hacking and ransomware attacks as a potential calamity. This means performing regular data backups, verifying backup integrity and ensuring backups are not connected to the networks they are backing up.
- Monitor Practices
Not only do you want to educate the staff on information security, you also want to make sure they are following protocol and adhering to those lessons. Medical practices should be able to monitor user activity in real time — or at least receive regular reports about how staff members are accessing data and whether they are following procedures. Integrate data security into your workplace culture.
- Designate A Compliance Committee or
This person or committee's responsibility will be to create compliance policies and procedures, as well as ensure that staff receives appropriate training and continuing education. Many experts suggest conducting an annual drill to practice for a breach.
- Review Your Vendors'
Most electronic medical record, portal and practice management software vendors should have security certifications. Are you sure the vendors you use do, and if so, which certifications do they possess?
- Update and Review The Practice's
Professional Liability Insurance
Unfortunately, many such policies do not cover for cyberattacks such as ransomware. But you may be able to buy coverage (see "To Pay or Not to Pay the Ransom").
- Hire a Consultant
The stakes are high, and the topic is complicated and potentially time-consuming. If cost-effective, hiring an expert on health care cybersecurity can go a long way toward ensuring that your practice is as prepared as possible.
What could go wrong?
The modern world, with all its technological connectivity, is a dangerous place. The FBI indicates there are currently an average of 4,000 ransomware attacks per day in the United States.
If you intended to visit a place where the likelihood of being stalked, pickpocketed, mugged or kidnapped was as high as it is every day on the Internet, you would likely either not go or take serious security precautions. Keep this in mind and protect the safety of your practice and its patients.
Sidebar: To pay or not to pay the ransom
The FBI has guidelines on ransomware prevention and response, which can be found at Ransomware Prevention and Response for CISOs. One concern in paying ransomware is that the hackers will either not release the captive data or raise the ransom amount — the first demand being a fishing expedition to see how the business responds. The FBI does not recommend paying a ransom, but notes that it is a serious consideration requiring a look at all ways to "protect shareholders, employees and customers."
Some insurance companies cover cyberattacks, including data breaches, digital security issues, cybercrime and hacking. If covered, the terms of the policy may have guidelines or requirements for whether to pay ransomware.
Most experts say to never pay. If you have appropriate up-to-date backups that are isolated from the affected network and a thorough disaster recovery plan, refusing to pay and dealing with the aftermath may be effective. But; if you don't have protections in place and the alternative is losing all of your medical and financial records, you might decide payment is worth the risk. The best solution is to be prepared.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.