6 Steps to Prevent Ransomware

With names like “WannaCry,” “Petya,” “Fusob” and “CryptoWall,” you might think it was time to put away the children’s toys and get back to patient care. But, the unfortunate reality is you need to know as much about these new threats as you do about C. diff, E. coli, or MRSA.

This type of attack is called ransomware, a computer virus that enters your system from an email or compromised website and blocks out access to patient information by maliciously encrypting your records until a ransom is paid.

New Attacks: Large and Small

Easy-to-use software distributed on the Dark Web has made ransomware attacks simple to perform for even unsophisticated wannabe criminals. Meanwhile, attacks on a global-scale are coming from increasingly sophisticated hacking organizations that have significant financial backing and resources. Most of these attacks are focused on businesses and organizations, signaling a shift away from the individual target. Worryingly, these attacks have been extremely successful and lucrative for the criminals, further incentivizing the use of these dangerous tactics.

Time to Fight Back

Organizations large and small must put serious effort into protecting patients records and computer infrastructure. You can’t wait any longer to train your staff and you can’t put off those security investments to the next fiscal year. Take the threat seriously and make these 6 changes to improve the security of your computer systems:

6 Steps to Prevent Ransomware

  1. Install Updates
    Install all updates and security patches to your operating system and all software that receives updates. Set software to update automatically whenever possible. These types of vulnerabilities are the security gaps that are most exploited in these types of attacks, once the virus enters your system.
  2. Be Wary of All Links and Attachments
    Never click on unexpected links or attachments even from known or trusted contacts. When in doubt, check with the sender to verify the email is trustworthy. Email is the most likely delivery method for the ransomware to enter your organization.
  3. Perform Frequent Backups
    Frequent backups of your records and any essential files are imperative to security. If ransomware affects your system you can restore to the previous state. Hackers have started attacking backup files, so it’s important that backups aren’t accessible on your network. It is important to know that the malicious encryption of files can also occur slowly over days or weeks, making restoring the data correctly a challenge, therefore it is important to also implement other security measures to prevent them in the first place and to closely monitor your network for signs of unusual activity.
  4. Protect All Personal Information
    Be suspicious of phone calls, visits or emails that request information about employees or internal details about your facility. For these types of calls, try to verify the caller’s identity when possible, before providing information. Also, consider the information that your organization shares about employees online, or that you might share on social media. Often those personal details can be exploited to build a targeted and very convincing phishing campaign.
  5. Reduce Spam
    Install and maintain anti-virus software, firewalls, and email filters to reduce spam emails. Often we rely on our IT departments to take care of everything. But, every user has a role to perform to make sure the software is working and updated properly on their machine and to set filters to improve their email security.
  6. Train Staff
    Staff training have (reasonably) focused on HIPAA and protecting patient information from accidental disclosure or misuse for fraudulent purposes. That’s understandable, given the specific requirements and motivation behind the laws. Now, is the time to expand training to include more elements of cyber and information security.

Employees must be instructed on safe internet usage and the many forms that phishing emails can take. An attack could be in the form of the latest viral video, a link to a popular social media site or a notice from the business next door about a lost dog, detailed information that is easily gained with a simple web search.

Too late, what now?

What should infected organizations do? Pay the ransom? Call the FBI? That’s going to be for the organization to decide. In the meantime, if you’re infected, shut it down. Turn your entire system off and revert to paper records until your IT department tells you it’s safe to start everything up again.

This is probably a good time to tell you that the new emergency preparedness regulations require you to plan for a cyber attack, including how you will continue to operate without access to electronic records. It’s time to get serious.

An easy first step is to incorporate more information security and email phishing information into your regular HIPAA training. MedBridge has got you covered there. All of our HIPAA courses include this important information in a form specific to each staff role.

HIPAA: Information Security
HIPAA: Clinical Training for the Healthcare Setting
HIPAA: Working with Business Associates
HIPAA: Patient Privacy and Information Security in Home Health