(808) 205-5644

As little as five years ago, hackers were lone individuals operating on their own. Today, cybercrime is a multi-billion dollar business. Organized crime – typically from eastern Europe, Russia, and India – has helped hacking reach a level of sophistication that now involves hiring professional developers and hackers to come up with new and innovative ways to carry out attacks. A hacker working for one of these organizations can net a salary of about $150,000 a year.

One of the biggest cyber threats today is ransomware, typically delivered through legitimate-looking emails claiming to be from sources such as your CEO, a financial institution, or even PayPal or Facebook. These emails will instruct the recipient to download an attachment or click on an embedded link. The malicious software is then downloaded and run, and once that happens, it’s game over.

The ransomware virus will encrypt any files it comes across on your system, network, and servers, and as of today this encryption remains uncrackable. The only way to regain access to your data is to pay the hacker responsible for the decryption key and hope that they actually return your files to you. The other alternative is to ignore the ransom demand and hope that your data backups are enough to restore your practice to its pre-infection status.

The healthcare sector is the number one target for these attacks. 88% of all attacks are aimed at healthcare providers. To add some perspective to this statistic, the second most targeted sector is education – accounting for 6% of all ransomware attacks. Hackers consider healthcare entities to be low-hanging fruit, mainly because they tend to have lax IT security protocols in place, and are generally very quick to pay a ransom demand for their patient data. There has also been a noticeable trend in healthcare workers simply lacking the awareness to avoid falling victim to a ransomware scam.

Additionally, patient information can fetch huge sums for cybercriminals on the online black market known as the Dark Web. A credit card number has a value of about $8. A healthcare record on the other hand is worth about $60. The average data breach will compromise about 10,000 records. That’s a payday of $600,000 for the hacker responsible.

More than half of all US hospitals have been hit with a ransomware attack in 2016. In virtually every case, these entities believe that they have adequate security measures in place, but the reality is that unless you have a multi-layer system in place to protect your data, your practice is left extremely vulnerable.

Ransomware has become such a prevalent issue within the healthcare industry that the Department of Health and Human Services (HHS) has released guidelines for how a healthcare entity is expected to respond to a ransomware attack. All business associates and covered entities are now required to report a ransomware infection as a data breach, regardless of the scope of the attack. Failure to do so will result in fines from the OCR. Depending on how negligent the OCR finds your practice, fines can range between $600,000 to $5 million. On top of that financial blow, the class action lawsuits that can follow can easily cost upwards of $50 million in settlements.

Very recently, a tool called RanSim was released to help healthcare organizations test the vulnerability of their IT network. Developed by one of VITECH’s partners, KnowBe4, RanSim is already proving to be an invaluable tool to help healthcare organizations prevent a real ransomware attack. By running a completely harmless attack simulation, this tool tests 5 different infection scenarios, and produces results in just a few minutes.

To properly protect your practice from a ransomware attack, there are 8 security protections you can implement right now to better your odds of avoiding an attack.

  • Education and Awareness – The biggest prevention tool available to you is simply educating your staff. The human element of your organization is easily the weakest element. People are generally very gullible, and don’t think to question emails that don’t immediately jump out at them as being suspicious. Implementing an employee training plan to generate awareness can overcome a lot of these vulnerabilities.
  • Strong Passwords/Pass Codes – Any and all devices that are used to access patient data should be protected by a strong password or pass code. This includes mobile devices. Applications and accounts should also have strong password protection. Most importantly, do not use the same password for multiple accounts and devices. Encryption technology should be used for all of your mobile devices, computers, servers, and files as a way to stay a step ahead of cybercriminals. Not only does it make your important data useless to anyone who does not have the decryption key, but it can be a huge asset to your practice where compliance is concerned. HHS states that if you have encryption in place, you do not have to report a data breach.
  • Keep Your Patches Current – One of the main exploits for hackers besides email are un-patched systems. It is extremely easy to exploit a system or device that is not up to date with the latest patches. Implementing a patch update policy can handle this vulnerability. This includes your firewall and antivirus programs, as well as programs like Flash and Adobe.
  • Have a Regularly Tested Data Backup System in Place – It’s not enough to just have a data backup in place to protect your valuable data. Backups need to be completed daily, and data should be backed up to a secure offsite location. These backups should be monitored around the clock, and tested at minimum once a month. This protects your data not just from a ransomware attack or some other form of corruption, but from accidental deletion or data loss caused by hardware failure.
  • Don’t Allow Staff to Access ePHI From Personal Devices – If your practice has ePHI that is stored outside of your EHR system, do not transmit that information through email, or use your personal mobile device to access that data. If the device cannot be remotely wiped if it’s lost or stolen, or confiscated after the employee leaves your organization, it should never be used to view ePHI of any kind.
  • Install a UTM Firewall – Unified Threat Management (UTM) firewalls are better equipped to handle modern threats. They have features such as built-in virus scanning, intrusion detection and prevention, website filtering, malware filtering, spam filtering, and data loss prevention. If your current firewall is more than 2 years old, you should seriously consider replacing it with a more advanced option.
  • Spam Filtering – More than just filtering out junk mail, a next gen spam filter will remove viruses, block phishing attempts, prevent malware, and even boost productivity by cutting down on the number of useless emails cluttering your inbox.
  • Website Filtering – This UTM firewall feature will allow you to block access to known malware sites, preventing malicious content from ever loading. It also provides the added benefit of allowing you to block access to known time wasters such as social media sites, once again boosting productivity.

It’s extremely important to take the threat of cybercrime seriously. It is by no means a small threat, especially to the healthcare industry. If you are not prepared for it, you will find yourself not only out thousands of dollars in ransom fees, but at risk for huge fines from OCR, and class action lawsuits costing millions.

Have a threat assessment completed to find out where your practice stands when it comes to cyber security. Determine where your security measures might be lacking, and how your employees are using company-owned devices. Figure out if your data backups are adequate to protect your practice, and if your network protections are sufficient. Talk to your IT provider, and create a plan of action to take care of any and all potential vulnerabilities. Ongoing maintenance is critical to keeping your practice secure.

Want to find out how VITECH can help keep your practice safe from cyber threats? Contact us at {email} or {phone}. We’re the IT professionals practices in {city} trust.

Experience VITECH… Find Out What Our Clients Are Saying About Us

Get The Latest News & Information About CyberSecurity

Fill In The Form Below for industry news, and information about our services, events, webinars and more.