|
Getting your Trinity Audio player ready...
|
Ransomware attacks can paralyze healthcare practices, jeopardizing patient data and operations. Learn how these cyberattacks happen and discover crucial steps to protect your practice from becoming a target.
You’ve probably seen spam emails that pretend to be advertisements, a coworker asking a question, or alerts about your account needing a credit card for verification. Your IT advisors tell you to ignore them without clicking on any links, report them, and then delete the email — and for good reason. These emails are one of the ways ransomware attackers gain access to your computer and network.
Healthcare practices of all sizes are prime targets for ransomware because they generate valuable data. The attackers can exploit data about patients, financials, and operations to make money. Even a brief disruption in your ability to access your software and data can be disastrous for your practice and leveraged by attackers to demand payment.
What is Ransomware?
Ransomware is software that an attacker uses to block your access to a computer system until you pay a ransom. The attacker locks you out and demands payment to restore access. What’s truly alarming is that an attacker can gain access to your network for months before making themselves known. During this time, they might gain access to the domain administrator’s account and steal your files and data. Often, you won’t recognize that your system has been compromised until the final stage of the attack when you receive the ransom notice.
How Does a Ransomware Attack Unfold?
Here’s how an attacker might introduce ransomware to your network.
Phishing
In a phishing scam, an attacker sends an email, text, or other communication that looks legitimate — sometimes even appearing to be from within your organization. However, opening a link in the message gives the attacker access to your device or the security credentials for your accounts.
Single-Factor Authentication
Accounts that use only a password (single-factor authentication) are easier targets for attackers than those with multi-factor authentication, which requires additional verification. You are especially vulnerable if you reuse passwords, have weak passwords, or follow a pattern when generating passwords. Attackers often use software that tests thousands of passwords in a short period. If the software guesses correctly, and you have not enabled multi-factor authentication, they can access your system — and any other accounts where you use the same password.
Exploiting Vulnerabilities in External-Facing Devices
External facing devices, such as laptops, printers, and most medical equipment connected to the internet, are common in healthcare practices. If not properly maintained and regularly updated, many of these devices are subject to “critical vulnerabilities” that attackers can exploit. Common critical vulnerabilities include running an old version of an operating system (like versions of Windows older than Windows 10), keeping default passwords, or not segmenting a network into smaller, more secure subnetworks that have their own security credentials.
Remember that any devices that access or store PHI must be logged according to your HIPAA policies and procedures. Speaking of HIPAA, “Critical vulnerabilities” may sound familiar from your last HIPAA risk assessment, but we’re discussing them in a different context here. For a refresher, read our article HIPAA Risk Assessments: Are They Really Necessary?
How Does an Attacker Execute an Attack Once Inside Your System?
Once inside, the attacker uses software to study your network and technology. They disguise themselves as a familiar part of your network to gain higher-level access. Attackers often target your file backups to make it harder to recover from their attack. Once the attacker reaches the highest security level, usually the domain admin account, they activate the ransomware software that stops your system from working until you pay the ransom to release it.
Remember that your business associates can also face ransomware attacks, so it’s crucial that you enter into business associate agreements (BAAs). See our related video, “Business Associate Agreements in Healthcare.”
What Can You Do to Prevent or Mitigate a Ransomware Attack?
- Enable multi-factor authentication on all devices for all sign-in options
- Segment your network into smaller networks and limit access. Only the domain administrator should have full access to all network segments.
- Remove inactive user accounts from your network. Attackers exploit out-of-date company directories because unused accounts are not well-monitored. Often, employees don’t know which staff members have left the practice, increasing the likelihood that the employee will click on a malicious link from a seemingly internal source. When workers exit the practice, back up their account contents (adequately secured with multi-factor authentication), then delete the account.
- Train employees to spot potential threats. Employees on alert for suspicious emails are less likely to fall for phishing scams.
- Consult with your IT department or cybersecurity professionals to develop a protection and recovery plan.
- Consider cyber insurance. It won’t prevent an attack, but it can help you navigate the aftermath.
Why Is Preventing a Ransomware Attack So Important in Healthcare?
Healthcare practices store valuable data, making them prime targets for attackers. A ransomware attack disrupts your practice, preventing you from serving your patients and earning revenue. It also risks patient data. A ransomware attack falls under the HIPAA Privacy and Security Rules, requiring your practice to implement its response and mitigation procedures and report the breach to the U.S. Department of Health and Human Services (HHS) and your patients.
Read more: Healthcare Data Breaches: What Are Your Legal Obligations for Notifying Affected Parties?
Ransomware attack victims should work with law enforcement, the Department of Homeland Security, legal counsel, their cyber insurance companies, and professional cyber security consultants. It’s also essential to have safeguards against ransomware and other cyber attacks, as inadequate measures could violate HIPAA Privacy and Security Rules. State laws about breach notifications vary, so consult an attorney to ensure compliance.
Preventing an attack and keeping off-network backups of your data is crucial because paying a ransom demand doesn’t guarantee that you’ll get all of your data back. Even if you receive a decryption key in exchange for ransom, it might not work perfectly. Creating an effective recovery plan before an attack increases the likelihood that your practice can recover its data — without paying a ransom.
Get Legal Support
For questions about HIPAA compliance related to cybersecurity, the attorneys at Jackson LLP are experienced in guiding providers and practices through HIPAA compliance. Let them assist your practice with developing its own HIPAA compliance protocol.
If you operate in one of the states where Jackson LLP has licensed attorneys, book a free consultation to learn more about how we support the success of independent healthcare practices.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.
