Like the fable about the boy who cried wolf, we so frequently hear about this or that threat, that we simply become numb to the noise and ultimately turn a deaf ear. Sadly, our tendency to ignore all but the immediate dangers is an approach that’s being exploited by cyber hackers. Ransomware is evolving, growing, and becoming increasingly sophisticated and effective.
In a recently published survey of IT firms, including Acentec, Inc., we were asked about our clients’ experience with ransomware in 2016.* What they reported is startling.
- 91% of the firms surveyed reported recent ransomware attacks on their clients.
- 100% reported increasing frequency of attacks.
- 93% of ransomware evades antivirus and anti-malware detection.
- Healthcare is the second most targeted industry.
Recently, we reported in one of our free weekly HIPAA security reminders an attack called “Bad Rabbit.” This month, the healthcare industry is experiencing highly targeted email phishing schemes. A typical example is you receive an email from a referring physician, with an attached PDF, Word, or other document; a seemingly routine email. However, the sender had been compromised by a virus that sends out reply emails to existing contacts. Once triggered, your files are encrypted, your systems locked, and your monitor displays the dreaded ransomware threat – pay us or we’ll delete your data.
Just such a situation has happened to numerous CAP physicians. Here’s one member’s story:
“A member of our staff opened an email one day, and moments later, we were all locked out of our computers with a red screen saying we need to pay them to get back into our system. We immediately called our IT company. They eventually had to wipe out all of our computers and restore everything from backups. We were down for two days and had to cancel patient appointments as they arrived, since we didn’t have any records. In the end, we lost a week’s worth of data, and had some fairly upset patients. Although it was not a HIPAA breach, we did report it to the FBI.”
What can you do to avoid being added to the growing victim list? Train your staff to be aware and stay aware. The majority of attacks are coming through emails.
Here are some general rules:
- Don’t click links in emails. Instead, open a web browser and go directly to the site.
- Don’t open email attachments. If you receive an email with an attachment, call the sender to confirm they sent it.
- If you did open an attachment and it asks you to enable something, don’t.
- Lock down your network to scan for threats at the firewall. Call us if you need help with this.
Finally, accept that despite your best efforts, you may still get attacked. If that happens, you have two options – pay the ransom, or wipe your system and restore from backup. The FBI advises to never pay the ransom since there’s no guarantee you’ll get your data, and many don’t. So you’re left with restoring from backup. If you don’t have a business disaster recovery device (BDR), put it on Santa’s wish list and make a New Year’s resolution to implement one in 2018. A BDR will eliminate downtime, lost data, and it could very well save your practice and your reputation.
* Survey conducted by Datto of 1,100 leading IT firms in the country.
Jeff Mongelli is CEO of Acentec, Inc., a nationwide provider of HIPAA compliance and medical IT management services. If you have any questions about this article or would like recommendations, please contact him for a free consultation at 800-970-0402 or jeffm@acentec.com.