Protecting your Practice and Patients Against Ransomware Attacks
By Practice Growth July 15, 2021
Unfortunately, no data is completely protected against hackers. Websites are attacked by skilled professionals and dark web syndicates in constant pursuit of unlocking confidential consumer information. Despite this, there are ways you can protect your medical practice and patients against these attacks.
Being a victim of a cyberattack can put your business and your patients at risk. When hackers get into your system, they can access your patient’s social security numbers, address, insurance information, and other personal data.
Remember that practices of all sizes can fall victim to a cyberattack. Follow the steps outlined in this article, no matter the size of your practice, to ensure that your patient’s data is kept safe and secure.
What is a ransomware attack?
Ransomware is usually malware that will lock your company’s data and demand money in exchange for the new de-encryption key. This malware is usually activated when you click to open an email.
The email will reveal a ransom message on your computer screen. By clicking open the email, the hackers can go through your firewall and other security features. They will usually give you a time stipulation and ask you to send them a certain amount of money.
What should I do if I receive an email or message about ransomware?
There are a few steps that should be taken immediately.
Always take a picture of the message. Then, disconnect your server and call your preferred IT professional. Speak to all employees as soon as possible so they don’t become scared or respond to any hacker messages.
File an incident report according to your Internet Service Provider handbook. Sometimes the IT professional is not fully qualified to do this and an electronic health record (EHR) vendor needs to be contacted. Keep a record of all the steps you took to solve the incident.
Notify law enforcement
Never go about a ransomware attack all on your own. Always contact your local law enforcement. You should also make early contact with the FBI. The FBI has to be notified of all cybercrimes regardless of the size or amount of money asked for.
Follow HHS protocol
The HHS and HIPAA require certain information and actions in the first 60 days of a data breach or cyber-attack. Make sure all protocols are followed and fully documented in case someone asks to see them later.
The most important HHS protocols to be followed are:
● Complete an OCR report at hhs.gov/hipaa.
● Inform all patients via mail.
● Publish a notice to a local media outlet.
● Offer free credit monitoring.
● Conduct HIPAA and IT security training for all employees.
● Post an alert on your company’s website.
● Give all patients an 800 number to call with any questions or information.
How can I keep from getting ransomware attacks?
Now that you know what to do if you fall prey to a ransomware attack, let’s discuss how to best avoid them. You can set up these protocols and features to try and avoid ransomware attacks in the future.
● Get a firewall. Many are cheap and easy to use.
● Get antivirus software and update it regularly to ensure that it is working.
● Make sure all your vendors and partners know how to use the software. Regularly train and test all employees to ensure they are safeguarding information.
● Create and use a data security plan that will notify all affected parties if a breach happens.
● When an employee or vendor leaves the practice, ensure that their password cannot be used to access the system or any information after they leave.
● Give all new employees new passwords and usernames. Never reuse old login information.
● Only give employees access to the information and documents that they need. No employee needs access to everything in the practice.
● Use secure channels to deliver patient-related documents and data.
● Conduct assessments regularly to see if there are any parts of your software that are high risk or vulnerable.
● Isolate sensitive applications from the rest of the practice’s network. You should also isolate computers that are specifically used to assess these applications.
Should I get insurance?
Many practices decide to get cyber liability insurance. This covers hacker attacks, viruses, and other issues that can steal or destroy your practice’s data.
A good insurance company can also help you set up your network and firewall. Insurance should cover all digital items, such as company computers and phones.
How much do ransomware attacks cost and should I pay them?
Every data breach is different and it depends on the hacker. The average cost of a data breach is $204 per record.
Hackers get better and better every day, which means they can access more records and demand more money. Some people choose to pay for the de-encryption fee if their computer backup system isn’t performing well.
Others feel comfortable just using the last computer backup because it will contain most of the information that they need.
Remember that a ransomware attack is a crime that goes through the FBI. Seek their advice on paying for the key and always inform them of any messages or communication from a hacker.