Ransomware – bad and getting worse

The black market value of Protected Health Information (PHI) reportedly dropped in 2016 leading to an increase in Ransomware attacks. This is no surprise since a set of health records is attracting prices between $1.50 and $10 versus $50 to $60 back in 2012.

The price decline has driven cyber-criminals to change their tactics and look for new ways to supplement the downturn. Many have opted for Ransomware and it doesn’t look like this trend will change any time soon.

Ransomware is digital extortion

Ransomware is a type of malicious software designed to lock important patient files or computer systems until a sum of money is paid. Digital extortion. The attacker encrypts the victim’s data and demands payment in return for the decryption key.

Spear-phishing is a carefully crafted email that trick the recipient into “click” opening a malicious document, embedded link, or visiting a corrupted website. Attackers use deceptive social engineering to manipulate individuals into revealing private information used for fraudulent purposes. From there, malware is installed on the user’s computer or server and quickly encrypts the data. It’s bad, and getting worse.

Once active, Ransomware encrypts the files on a computer including but not limited to:

  • Digital images
  • Spreadsheets
  • PDF’s
  • Word documents

Sometimes, the malware locks the user out of the computer entirely with no access to files, applications, and sometimes the desktop.

Double Trouble

According to the FBI, the initial ransom amount is anywhere from $200–$5,000 accepted in Bitcoin digital currency. Ransomware wouldn’t carry much weight if the hackers didn’t satisfy their end of the bargain, so it’s rare that an attacker won’t decrypt the files after payment. But, Ransomware isn’t necessarily done there. After the ransom is paid and you receive the decryption key it could happen again.

What if a hacker seized all patient records from your practice and encrypted them? Without a clean backup outside of the network, thousands of files would suddenly become inaccessible and the dental practice wouldn’t have the vital information needed to treat patients. Patient records and insurance payments would be lost and your patient’s private information may be compromised.

Prepare for Ransomware

Ransomware is a real threat that has the potential to cripple dental practices that don’t exercise the safeguards to prevent it. This type of malware is too effective for criminals to stop using it.

Do these things to protect your dental practice from Ransomware!

Take this 2017 HIPAA Risk Assessment: The Risk Assessment is a systematic process of evaluating potential risks within your practice and required by law. Your patients will appreciate your commitment to protecting their private information.

Make offsite backup and recovery a priority: After a Ransomware attack, the first question an IT pro will ask is whether you have a clean backup. Successful backup files are the only ones that count so make certain that a recent clean copy is stored offline safe from Ransomware. Restoring your files is a race against the clock. It can take anywhere from 15 minutes to days depending.

Step up to the cloud: If using dental cloud software-as-a-service and direct image capture then pat yourself on the back. SaaS is software licensed on a subscription basis and centrally hosted in the cloud. Ransomware cannot attack in-office data that isn’t there, but instead stored in the cloud. Not all dental SaaS cloud vendors are equal so do your homework.

Keep software current: Security vendors constantly work on definition updates to catch malware before it infects your files. Antivirus and anti-malware services are highly recommended. Confirm you are running the most recent versions of these products and do regular updates.

Train your staff: Human error is the weak link in a Ransomware crisis. In most cases, malware is downloaded by a practice member surfing the web, opening a link or attachment in a phishing email.

Create a Ransomware and malware disaster recovery plan: Each member of your staff that uses an office computer needs to understand your practice’s data security plan in order to avoid the devastating effects of a Ransomware attack.

The final word

With EHR records comes the responsibility of protecting your patient’s privacy and reputation as a dentist. HIPAA compliance intent ensures the two go hand in hand.

There is no silver bullet for eradicating all cyber-threats. Dental practices cannot simply purchase a security appliance, install it on their network and assume that it will keep them safe. Ransomware doesn’t take advantage of outdated applications or operating systems. Ransomware is disruptive and takes advantage of susceptible people through email “click” bait.

HIPAA compliance practices may be tedious and seem like a waste of resources. Creating a culture of compliance helps fend off the bad guys. This is a small price to pay compared to the consequences of a breach, Ransomware attack, OCR investigation or disastrous loss of reputation.

Leave a Reply

 

 Ted Takahashi

"Thank you for visiting the TedTakahashi.com website. You are encouraged to use this site as an honest resource for your technology. I'm someone who can help you!"  

Ted Takahashi
Phone: 952.261.9205
Contact Us

Link to my Facebook Page
Link to my Linkedin Page
Link to my Twitter Page