How to Protect Your Medical Practice from Ransomware Attacks
As a technologically-minded individual who wants the most for your medical practice, you already have recognized the importance of using cloud-based healthcare software. Cloud computing service providers use multiple, redundant facilities for storing data to keep it safe in the event of a catastrophic breakdown in any one server center.
The staff working in cloud computing centers focus on keeping data safe and secure, and is devoted to making sure your patients’ records are available 24/7/365, even when cyber attacks plague institutions that are connected to the Internet.
A glance at the headlines each month shows healthcare organizations are becoming a huge target for criminal computer hackers. Negative effects that a data breach will have on a practice include loss of time and money and erosion of the trust patients have placed in your organization.
Hospitals, doctor offices, and clinics have been exposed to cyber security threats that can cause grave repercussions. A common method of attack is to install ransomware. Once criminals compromise a medical organization’s system (often because an employee clicked a link in a sketchy email or text message), they hold all patient files hostage until ransom is paid. Typically you get a warning with a countdown that says if you don’t pay up within the deadline, your files will be erased (or perhaps even worse, the hackers threaten to release this sensitive information online).
Ransomware makes it into your hospital in a range of ways. It can arrive via email, text messages, and websites that are set up just for the purpose of attacking naive and unsophisticated end users. One slip-up and the intruder can gain unauthorized access, putting your organization at risk.
For example, in late 2020, criminals attacked several hospitals across the United States with ransomware, with St. Lawrence Health Systems of New York and Sky Lakes Medical Center of Oregon as well as the University of Vermont Health Network telling CNN they’ve been compromised in a ransomware attack.
That’s bad enough, holding patient data hostage, but particularly galling considering the nation is swept up in the coronavirus pandemic and fast, reliable access to patient records is of the utmost importance. Proper, regular backups of data would help hospitals fend off ransomware attempts, keeping patients safer and preserving their bottom line.
So while the IT department of your cloud services provider will be handling security on their end, you still have to contend with potential security issues in your own office and make sure that your staff knows what to do to protect patient information.
With that in mind, here are 8 tips that will help improve healthcare cyber security in your organization and reduce the chance of a ransomware attack.
1. HIPAA Compliance
Simply adhering to the government’s Health Insurance Portability and Accountability Act requirements to shore up data will get you well on the way to safeguarding patient details against hackers deploying ransomware.
If you don’t have a HIPAA compliance officer or similar employee with such duties, now would be a good time to invest in a professional with this type of expert knowledge and experience. An audit of your HIPAA protocols will help identify any holes in your security, and is vital in helping you to protect patients.
2. Educate Your Team on Cybersecurity Best Practices
In most situations, the weakest cyber security link in your medical practice will be the user. Ensuring that your staff knows all proper measures to take (and enforcing these measures) makes the organization as a whole more secure.
As is the case with managing HIPAA compliance, you may need to bring in a consultant who can first address the knowledge level of your team and then provide some training to get everyone caught up on the latest security protocols.
Your team should be trained (or refreshed) on password best practices and procedures. Staff should keep their passwords in a secure place. That means no sending passwords in emails or in documents others can access. A solid password storage system helps immeasurably here.
Employees often try to skirt IT department’s password rules because it’s hard to remember one password, let alone multiple passwords for different systems. Remind workers that instead of scribbling a password on a sticky note attached to their monitor or “hidden” inside a desk drawer, to make a memorable password based on a phrase instead.
For example, using the first letter of each word in the phrase, “I walk my dog in the park each morning” would turn into a password “iwmditpem” to which you can add a number or other character, and then make some characters upper case and lower case.
3. Data Backup Protocols
All data should be backed up on a regular basis, at least daily. Servers in your facility are only part of the system, ideally. If local servers fail, such as from a natural disaster, hardware issues or if the system has been compromised by hackers wielding ransomware, you can get back up and running by pulling copies of the data from your backup (in a distant location or in a cloud computing service provider’s servers).
4. Security and Firewall Protection
The latest firewall software should be installed to safeguard your system. It keeps intruders out of the system and can be set up in a sophisticated way by your IT department to forbid certain types of data to go out into the world. For example, you can bar patient records from being accessible, filtering types of data such as credit card details.
A more advanced security setup will include two factor authentication to foil criminal hackers. You have probably experienced two factor authentication in the course of your normal affairs, such as when your bank sends you a unique, temporary code to your smartphone when logging into your account using a laptop. The more barriers to entry that you put in between your organization and hackers, the slimmer the chances that they can steal data with ransomware.
So, it should be top of mind that you’ll control access to protected patient data.
You’ve undoubtedly seen news accounts of patients whose private information was stolen by hackers. These sensitive details are protected by the Health Insurance Portability and Accountability or HIPAA act. If you fail to keep this data secure, the results can be disastrous. Criminals hackers use confidential patient details to commit identity theft, take funds from bank accounts, and otherwise cause a great deal of havoc.
Have your security team carefully control access to patient records, only allowing authorized individuals to access the details. You can audit the system to verify who accessed what and when. For example, stop access immediately for terminated employees, lest they sneak into the system later and wreak havoc out of anger.
It almost goes without saying, but your employees need to follow a policy of not using the same password for everything. Their email password shouldn’t be the same one they use to sign into the computer itself, for example, let alone to log into a patient records database.
All a criminal needs to do is discover one working password, and then apply it to all the other accounts that the victim uses. The convenience of one password leads to a catastrophic theft of data. Criminals can cause even more mischief if they get into the system and actually change information in patient files, or erase them in ransomware breaches.
You can protect yourself better by making employees regularly create new passwords. Doing so cuts down on hacker’s ability to access files and cause mischief.
5. Conduct Regular Risk Assessments
Not knowing where your vulnerabilities are makes it much harder to protect yourself against attack. You won’t have a clear understanding of your organization’s security issues if you fail to conduct risk assessments on a regular basis.
The goal should be to have layered security protocols in place. That way, even if a criminal breaches one layer, they still won’t be able to access the protected data. Your organization might be able to identify the attack before it’s too late.
In the same way you deploy multiple locking doors to protect your property, building and equipment, you should establish many layers of defense against electronic intrusions. So, even if criminals find one weak spot in your defenses, there still will be redundant security.
Do not fall into complacency when it comes to protecting patient data against ransomware efforts. Your own IT team could perform the risk assessment, but you might prefer to bring in objective, third party individuals by hiring an outside firm to take care of this task.
6. Perform Software Updates in a Timely Fashion
Of course you do not like the idea of your busy practice taking the computer system offline to do standard software upgrades. But let your IT department do this as needed, such as at night or on the weekends or holiday when you’re not seeing patients.
Failing to get the latest version of your outdated software leaves your computers and other devices more vulnerable to ransomware attack. You won’t benefit from the latest security patches that come with updates. Hackers love it when people are complacent about computer security, as it lets them enter undefended systems more readily.
You’ll want to work with a company that prioritizes cyber security in their software. They will update their applications swiftly whenever they identify a new hacking threat has been identified.
What should be top on your priority list, according to a report from Healthcare IT News, is to invest in the latest in firewall software to protect data and your systems, while deploying current anti-malware detection. It’s possible you’ll need to outsource security information management if your own IT staff is sparse.
7. Test Your Backups
Your team may be bragging about how robust your computer backup system is. But if you never test it in real world conditions, you effectively do not have a backup plan in place yet. The last thing you would want is to go through a ransomware attack and think you can rebuff the criminals’ demands for payment, only to discover that your backup files are corrupted or otherwise unavailable. Schedule and test data backups with the same level of seriousness you would give to fire drills for employee and patient safety.
In the unfortunate event of an attack, your practice needs to know what the next steps are. Having a plan in place will help you move forward after an attack. For example, your IT team should regularly review your healthcare cyber security protection to ensure you are always following the latest protocols.
This also means avoiding the practice of automatically allowing software updates before checking out any possible repercussions. And when you do assess an update, it’s best to try it out on a quarantined test computer to ensure a patch or update won’t negatively affect all the computers in your system.
To be ready for the aftermath of ransomware, designated members of your security team should create a plan for getting the system back up and running, knowing that the cloud-based backup of your data will install and be ready to use.
8. Purchase Insurance for Cybersecurity
You already are accustomed to buying insurance for the facilities and you also mandate that your medical professionals carry malpractice insurance. While having excellent security software in place and following best practices will give you a better chance of surviving a ransomware attack, it’s wise to consider ordering special insurance coverage to protect your organization in the event of a data breach. Consult with your IT department head to list the special requirements you’ll need before arranging coverage.
When your patients’ sensitive data is stored in an electronic record software system and cloud services are providing backups and easy online access, it’s incumbent on your team to make sure you’re doing all that you can to protect the information against criminal hackers. You’re ultimately responsible for safeguarding patient details that you create and update and store on the practice’s computer servers.
Protect Your Practice from Ransomware Attacks
Cybersecurity is a serious issue and failure to shore up your defenses could lead to disaster if criminal hackers break into your system. You already have enough on your plate to deal with for ordinary medical service issues, leaving you little time and resources to stay up to date on computer security best practices. To help you, we’ve created a 30-minute webinar on 9 ways to prevent a ransomware attack that you can check out by clicking here now.
About Stephen O'Connor
Stephen O'Connor is the Director of Brand and Digital Marketing, responsible for many aspects of Advanced Data Systems Corporation’s (ADS) marketing, including product marketing, customer acquisition, demand generation, brand, brand design, and content marketing.
Stephen has more than 20 years of healthcare industry experience. Prior to ADS, Stephen spent 11 years at Medical Resources Inc. (MRI), most recently as the Manager of Marketing & Internet Services, where he and his teams were responsible for all marketing efforts and the market positioning of MRI’s services.
Stephen spends his day's planning, writing, & designing resources for the modern healthcare professional.