In 2016, 27% of all security breaches were caused by hacking and ransomware. Experian* has predicted that healthcare organizations will be the most targeted business sector for cyber attacks in 2017 with ransomware an even bigger threat. It’s not just affecting large institutions— ransomware is attacking small healthcare providers like YOU. Info Services, Inc. had TWO clients whose data was held hostage in the same month at the end of 2016.
Ransomware is an invasive, highly sophisticated type of malware that literally locks a provider out of his or her data files. It features unbreakable encryption requiring a ransom (payable in bitcoin). If you don’t pay up– they don’t release your data. They target healthcare because you have a duty to protect and maintain the data. They target small healthcare providers because they assume you lack the cybersecurity expertise to protect against their attacks.
Most ransomware is activated when someone in a provider’s office clicks on a link in a spam email campaign. However; it can also be activated by malicious code injected in a legitimate website. Up-to-date anti-virus software is a must-have for all internet users; but anti-virus is not enough to stop all malicious invasions.
So what can a healthcare provider do to guard against ransomware?
Train staff not to click on links in spam emails or on unknown websites. Trust the source.
Maintain workable backups. If you have a current copy of your data and operating system files, there is no need to pay for their return.
Let’s talk about backups: Each provider should be utilizing both local external hard-drive and secure cloud-based storage options. All backups, regardless of methodology, must be encrypted with the provider controlling the encryption key. Info Services recommends the following:
A good baseline complete system backup on an external hard-drive utilizing EaseUS encryption backup software; maintained offsite in lockbox, etc. Performed at least monthly– weekly if you process a large amount of data.
A daily backup of practice management data files utilizing Enveloc, a secure cloud based encryption service. (It’s automatic!)
A daily backup of practice management data files (separate Monday-Friday) utilizing EaseUS encryption software on an external hard-drive and saved offsite. Can be scheduled.
All backups should be periodically tested and verified insuring that you are backing up pertinent files.
All this sound redundant? Yes, it is redundant on purpose! If you ask our clients who had to restore their data after the cyber attack if these steps were too much trouble they would each tell you “no way”.
*2017 Experian Data Breach Industry Forecast
Info Services, Inc. is an independent value-added reseller of EaseUs and Enveloc.