In the most recent issue of Part B News, we offer six preventive steps that can save your data in the event of a ransomware attack. In case you want to be extra-secure, our experts now offer three more.
Ransomware, as the story mentions, is a dangerous form of computer hack increasingly turning up in medical facilities' computer networks, usually via a phishing exploit but sometimes (though rarely) via a "brute force" attack on your cyberdefenses.
Our experts' additional advice:
Stop your regular HIPAA breaches. A dirty little secret is that medical practices violate HIPAA on the regular -- via promiscuous use of virtual voice assistants of the kind that have become increasingly popular in doctors' offices, for example, and by careless texting to patients and other who-can-be-bothered workarounds (PBN 7/13/18, PBN blog 12/29/18).
"In some cases we’ve seen where small practices might share accounts and logins for systems and software, which is specifically prohibited by HIPAA requirements, although many practices don’t realize that," says Jesse Salmon, an information security architect with Kareo in Irvine, Calif. (PBN 10/9/17).
These aren't just compliance issues. They actually make your systems less secure and more prone to attack. For this reason, "medical practices need to secure the human," Salmon says. That is, get your employees to follow both HIPAA protocols and "how sensitive information should be handled and sent," he explains.
Make sure your cyberinsurance is ransomware-ready. "Companies tend to focus on the ransom amount" when they consider the cost of a ransomware attack, says Bill Siegel, CEO and co-founder of Coveware in Westport, Conn. "But with ransoms averaging just around $1,000, the actual ransom amount is often less than a cyber policy deductible and a fraction of of the downtime costs." Siegel advises that your policy language covers "business interruption costs, regulatory fees or fines and any liability associated with leaked patient data."
You'd think this would be standard for cyberinsurance contracts, but it's not, warns Sanjay Deo, president of 24By7 Security in Coral Springs, Fla. "Often, an insurance policy may only cover ransom payment partially," he says. "Nevertheless, having a cyber insurance cover part of a ransomware attack may still be more beneficial than not having one at all."
Have a ransom-payment policy. Companies often pay the ransom demanded by hackers on the theory that the relatively small sums usually asked by these invaders are worth the time they buy, and the hassle they spare, the practice as it attempts to rebuild its systems. Since ransomware attacks are quick and don't leave a lot of time for decision-making, you should set some guidelines ahead of time, based on how much and under what circumstances you're willing to pay.
"We often hear people from the government telling people not to pay the ransom for ransomware," says Andy Jordan, senior security architect for Mosaic451 in Phoenix. "The argument is that it helps the attacker and they will inevitably hit you with a stronger attack next time. The reason this philosophy fails is that most organizations will not sacrifice themselves to fight terrorism on behalf of the government," Jordan says. "Paying the ransom is not a simple ethics issue; it’s a business issue."