You’ve been thinking that your private practice won’t get hacked? Or that your small, rural hospital is totally under the global cyber crimes radar? That there’s not enough monetary value in your database to interest cyber thieves? You’re just wrong. Private Health Information (PHI) is coveted for identify theft and fraudulent payor claims, plus it’s highly regulated and mission critical— a digital goldmine for the army of cybercriminal extortionists operating outside U.S. borders.
The Department of Homeland Security reported in July that there has been an average of 4,000 ransomware attacks per day since January 1, 2016. In the first half of the year, there were four Adobe Flash and Microsoft Silverlight software bugs that, if not patched, opened the door for invasion. For example, a health worker using an EHR Googles the patient’s health condition—and gets ransomware. Keeping up with patching software bugs is just one of the many facets of warding off hack attacks and this battle does not appear to be slowing down: ransomware alone will exceed $1 billion in damages this year.
In fact, the healthcare industry had the highest number of all data breaches reported, suffering 39 percent of all breaches that occurred in 2015, according to Mountain View, Calif.-based cyber security firm Symantec’s 2016 Internet Security Breach Report. In Reston, VA, more than 13,000 patient records were hacked, and the data was encrypted pending payment from this one-doctor dermatology practice. All patients had to be notified that their personal information had been breached. Similarly, the small 86-bed King’s Daughters’ Health hospital in Indiana discovered that a single email infected by the Locky ransomware virus crawled into a server and started encrypting data. KDH immediately powered down its computer systems to protect the remaining data, and faced significant downtime and careful PR navigation as a result. In both cases, healthcare businesses were the losers.
Healthcare organizations, along with small businesses and schools, make good targets for ransomware attacks because they don’t usually have the sophisticated backup systems and other resilience measures that are typical at large corporations. They often begin with an e-mail attachment opened by an unwitting employee. The e-mail launches malicious code that crawls through the victim’s computer system, encrypting and locking up data folders and the computer’s operating system. The cyber criminals demand payment in return for providing the decryption key. Attacks like these often don’t make headlines because the victims understandably don’t want to talk about it, whether they pay or they don’t pay.
“Ransomware attacks are crimes of opportunity,” points out Keith Barthold, CEO of DKBInnovative, an IT management company headquartered in Dallas, TX. “Medical practices in particular are low-hanging fruit for cyber criminals because patient files contain easily sold information such as social security numbers or Medicare particulars. And attackers know that extortion works when the alternative to paying is often downtime, data loss, bad publicity, and steep HIPAA compliance fines. The best way to protect the data medical business of any size is prevention.”
“Your level of exposure to potential ransomware can be identified”, says Barthold. “You need to have a professional team who understands healthcare security perform a security risk audit. Risk mitigation to ensure the privacy of your patient information can then be implemented pretty quickly. But you must also realize,” he added, “that technology can change almost hourly these days. What protects your data this week could be obsolete in two weeks. Preventing cyber crime has become a highly specialized endeavor. IT management must stay on the leading edge of security best practices and the solutions available to best keep systems protected. It’s a complicated dance between the good guys and the bad guys. You have to have true passion and absolute devotion to your healthcare clients to keep them protected.”
Contact DKBInnovative at dkbinnovative.com or by phone at (429) 828-2468 for a free list of ransomware prevention tips.