Hardly a day goes by without hearing of some new ransomware infection. We see the headlines daily. “US hospital pays $55,000 to hackers after ransomware attack.” “Cybercriminals target hospitals with SamSam ransomware attacks.” “Ransomware attack disrupts emergency services at Ohio hospital.” And with the price of a single patient record reaching up to $1,000 on the black market, we know for a fact that attacks on healthcare practices like yours won’t ever stop.
So what’s a provider to do? Pay hundreds of thousands of dollars to some overpriced security company with no understanding of how healthcare providers work, who may cause more damage than the hackers themselves? Just give up and hope ransomware won’t impact you?
No way! Thankfully, you can take several easy steps to protect your healthcare practice from ransomware. But first, let’s explain what ransomware is.
What is Ransomware?
Ransomware, at its core, is a malicious computer program (“malware”) that encrypts all your files. The only way to decrypt your files is to pay the person who infected you some money. If they’re “honest”, once you pay up, they’ll give you the decryption key and you can access your files again. But that’s not a guarantee – some attackers have created ransomware that can never decrypt your files whether or not you pay the ransom.
Normally, an attacker will spread ransomware by tricking someone into downloading and opening a file with the malware attached. IT security professionals call these files “Trojans” after the Trojan Horse from Greek mythology, as these fake files look legitimate. However, some ransomware, like WannaCry, can spread without user interaction.
Let’s Protect Your Healthcare Practice from Ransomware in Four Simple Steps
Install a good antivirus and update it regularly.
A good heuristic-based antivirus software can protect against most forms of ransomware. Unfortunately, the free trial of Norton or Symantec you got when you bought your new computer won’t work. Most antivirus vendors write “signature-based” antivirus programs, which attackers can circumvent trivially.
We recommend an antivirus called Cylance, but others work equally well. Regardless of the solution you choose, make sure to update your antivirus regularly. We recommend weekly at a minimum. If possible, daily updates work even better.
Conduct regular backups of all mission-critical data.
Let’s say your practice gets a ransomware infection. Would you rather pay the ransom and hope the hackers will honor their promise and give you back your data? Or would you want to simply wipe the infected machine, reinstall from a clean backup, and be back in business in hours? We’d definitely recommend the latter option. That’s why you must conduct regular backups of all your data.
Make sure to do backups frequently, daily if possible. Plenty of automated solutions exist, and Windows even has built-in backup solutions you can use. A few clicks, and you’re good to go.
Further, always test your backups to make sure you can restore them quickly. You don’t ever want to realize that you’ve been backing up your systems regularly, but a power outage or corruption means you can’t use any of the backups.
Finally, try to back up your data off-site – rent an Amazon Web Services instance or work with a disaster recovery provider. Backups don’t do much good if they’re encrypted by ransomware too, so storing your backups off-site helps mitigate that risk.
Educate your staff on the risks of ransomware.
Like we said above, most ransomware spreads with the help of user interaction. While most people don’t willingly download ransomware on their machines, humans still pose the greatest risk to a healthcare practice’s security. Make sure that all your staff, from the head doctor to the receptionists, know what ransomware does and what they can do to avoid infection. Regularly remind them not to open files they do not expect to get, especially via email. Ask them to not engage with email addresses they don’t recognize, and don’t ever click on links in emails they don’t know. Don’t let them disable any security settings on their computers. If they accidentally click on something suspicious, encourage them to tell you immediately. Definitely don’t punish them for saying something. Even consider a professional security awareness training program, like PhishMe.
Get outside professionals to help you.
We at Keyqo Security know you’re expertly-trained healthcare professionals. You didn’t put yourself through years of medical (or dental or podiatry) school, then go through residencies and fellowships and all that just to sit and work on your IT systems. And we know you don’t want to go through the tedious process of interviewing an IT security person. Not to mention the salaries and benefits a qualified employee would demand. You have patients who need you, and who you should care for first. Let someone else take care of the tech stuff.
Why not outsource your security concerns to people who specialize in healthcare IT security? Partner with a company who both knows how healthcare providers work and has the technical know-how to protect your practice against ransomware and all the other security threats in existence. Work with someone with proven experience in securing an EHR, who’s conducted security audits on healthcare companies of all shapes and sizes, and who can give you the security tools you need to secure your practice.
Partner with Mark and Jennifer today. Let us do the heavy IT work for you, so you can focus on what truly matters: the health and well-being of your patients.