Ransomware gained traction last year as one of the top threats facing individuals and organizations, according to the 2017 Internet Security Threat Report from security giant Symantec.
Between stronger encryption, anonymous Bitcoin payments and spam campaigns creating widespread malware, ransomware was and continues to be the most dangerous cybercrime threat.
For cybercriminals, healthcare providers are the ideal ransomware target because they rely on the information contained in medical records to take care of their patients. Providers need access to diagnoses, treatments, drug histories and other information contained in their patients' records, and will pay ransoms without hesitation rather than risk their patients' lives. Moreover, victims are forced to pay in untraceable bitcoins, preventing criminals from getting caught.
Yet healthcare providers are woefully unprepared for the real threat of ransomware and taking all the steps necessary to protect their data. Hackers know this and are moving in. It's a low risk business for both seasoned cybercriminals and amateurs, and has reached a level of sophistication that would surprise even the most-savvy CIO.
Now Ransomware-as-a-Service (RaaS) lets amateur hackers with limited technical skills purchase low cost ransom malware tools from a cybercriminal, and send out infecting viruses to random or targeted businesses. If the phishing scam bears fruit the cybercriminal receives 20 percent of the profits.
Entry level attackers can also place online orders with a RaaS provider and bypass the malware deployment process altogether. If they're going after healthcare organizations they can submit a list of medical practices to a RaaS, and place an order to send out ransomware phishing emails to practice employees. Phishing emails are still being opened by nearly one out of three recipients, according to Verizon's 2016 Data Breach Investigation Report, even though security experts have been warning the computing masses about phishing scams for over a decade,
An employee could fall for a phishing scam and click on a link because the email resembles an overdue invoice. The email could have a Word document attached that, when opened, deploys harmful malware and encrypts a medical practice's data.
If the practice is forced to pay the ransom in bitcoins, the RaaS even offers customer support services to instruct victims through the process. Some RaaS outfits have chat services. Others have live agents who reassure victims their files are safe and even advise them to update their antivirus software, after they've paid the ransom!
Ransomware is a sophisticated, multi-billion dollar crime ring.
Yet many healthcare providers are blasé about data security and protecting their patient information. They do a "check the box" security risk assessment (as was the case with many healthcare providers attesting for Meaningful Use) and not the actual due diligence of backing up files, encrypting data, training employees, etc. Oftentimes, hospitals will back up only portions of patient records because they don't have the storage capacity to back up large files, including x-rays and MRIs, nor the budget for an expensive cloud backup service.
Healthcare providers need to inoculate themselves against ransomware and other security break-ins by performing a security risk assessment and taking the following steps to protect their patients' precious information:
1. Identify proper security measures to prevent the likelihood of a threat and its impact. A security risk assessment looks at how patient information is currently protected. How often does the practice perform data backups? Is there an employee termination procedure? Do employees have the minimum level of access to patient information?
2. Inventory patient information – locate where patient information is stored, accessed or transmitted. It could be an electronics medical records system (EHR) but also a Microsoft Word document in the form of patient letters, or Excel spreadsheets as billing reports or scanned images of Insurance Explanation of Benefits (EOB). These documents could be on desktops or laptops. Patient information could also be in emails or text messages in smartphones or tablets.
3. Encrypt data to not only protect against attacks but to help alleviate any potential penalties as regulators will take into account whether a firm did all it could to protect the data.
4. Train employees and create access policies. Train employees to recognize phishing scams and phone scams, follow rules for accessing public wi-fi and social media posting, and to avoid other risky behaviors in order to prevent breaches.
5. Give employees limited access. Review policies to ensure that employees access only the information in patient records that they need to perform their jobs. Make sure that procedures are in place to prevent terminated employees from accessing patient records.
6. Develop a breach response plan. Have a response plan in case a breach does occur. Specify who will be on the response team, what actions the team will take, and how the practice will prevent another breach from occurring. The SRA will make sure a plan exists and all employees are trained in how to respond.
Invest the time and devote the resources to perform a comprehensive risk assessment yourself or employ an IT security consultant to keep cyber predators away from the data network.
Bio
Art Gross is the president and CEO of HIPAA Secure Now!, which provides risk assessment, training and other security services to medical practices. He can be contacted at artg@hipaasecurenow.com.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.