Warnings from government agencies and dramatic reports of hospitals grinding to a halt from ransomware attacks have splashed across the news recently. Medical practices prove an attractive target for ransomware, due both to their reliance on relatively new IT systems such as EHRs and the often life-and-death urgency of healthcare services. No matter what size your practice, it's important to do what you can to avoid having your data taken hostage and being forced to consider paying ransomware criminals.
Ransomware combines three technologies: phishing, virtually unbreakable encryption, and the Bitcoin crypto-currency. It works by using phishing to infect your computers, encryption to lock up your data with a "key" known only to the bad guys, and the untraceable Bitcoin electronic currency. That's the ransomware business model; it's a terrifying prospect for any practice.
The first part of the equation, phishing, is surprisingly low tech: no Mission Impossible-style hackers, grappling hooks, or crawling through conduits. It works by tricking someone in your practice to let the criminals in to your data system — usually through opening a misleading email attachment or clicking a cleverly disguised link. This will put the ransomware program on a computer in your practice, which will then search out all the data it can reach on your network and encrypt it with a key known only to the bad guy. And, of course, it will notify the practice that the key can be obtained — for a price.
There are practical steps that even a small or medium-sized practice can take to avoid this. These include strategies focusing on technical safeguards and working with your staff. And, whether you have in-house IT or outsource IT, you need to ensure a focus that includes both strategies. You don't have to understand all the technical details to be able to ask good questions — and your IT staff should have good answers. Here are some specific steps to take:
1. Ensure IT systems are designed to provide "least-necessary access" to data — every staff member should have the amount of access necessary to do their job, but no more. Talk with your IT people about how this is reflected in your systems.
2. Ensure consistent and up-to-date backups of all important data — and make sure they're isolated from everyday users (so the backups aren't encrypted by the ransomware!) Ensure IT is testing its ability to restore the backup copies, so they'll be there when needed. After all, would you rather create new copies of your data, or pay whatever ransom is demanded?
3. Ensure software patches are in place and updated. Automatic installation of software updates and patches can eliminate the security vulnerabilities ransomware exploits to gain access to your data.
4. Ensure your security software is in place and updated. Increasingly, protection against ransomware is being added to these software packages. BitDefender has even released a free Ransomware "vaccine" that blocks ransomware from installing by tricking it into thinking the computer is already infected.