The growing frequency of ransomware attacks on healthcare organizations means even the smallest practices should take steps to protect itself from cyberthieves.
At this year’s Healthcare Information and Management Systems Society (HIMSS) conference in Orlando, two attorneys with expertise in cybersecurity, Julia R. Hesse and Brian Finch, prescribed steps that healthcare organizations should take to minimize the risks posed by ransomware. Hesse is a partner in the healthcare group at Boston-based Choate Hall & Stewart. Finch is in the public policy department at a Washington, D.C.-based Pillsbury Winthrop Shaw Pittman.
Ransomware viruses encrypt data with a promise, not always kept, that access to data will be restored for a fee. Both attorneys stressed that the widespread, growing use of interconnected devices, aka the Internet of things, contributes massively to the challenges organizations face in dealing with ransomware.
They offered advice about ways organizations can protect themselves against being held financially responsible for breaches that may occur, by taking proactive steps to make clear that they are taking actions to protect patient data.
Vital to-dos in avoiding a ransomware attack
Every day, one million new viruses are generated, according to Finch. Both attorneys described proactive steps that organizations can use to assess threats to their systems, their vulnerabilities, and the consequences of a possible attack. Only with knowledge of the risks can an organization assess the sufficiency of its safeguards, and improve upon them if needed.
Here are the steps Hesse and Finch suggested:
• Keep careful track of all devices connected to your system. Each one of them can serve as an entry point for a ransomware virus that can “move laterally and move like wildfire,” Finch said.
He reported on a recent ForeScout Technologies global survey of information technology professionals that found that only 30 percent were confident they knew which devices were connected to their network. “That is really bad,” he said.
• Backup data religiously. As simple as this step sounds, it is massively important. Both attorneys repeatedly stressed that organizations whose data has been stolen are less likely to be affected by that theft if they have backup versions of the data available anyway.
“Those organizations were ones with an effective, robust backup system,” Heese said. “They flipped over to their redundant network.”
• Have a disaster plan in the event you do get hit. What will your organization do if data becomes unavailable? Where are you going to send your patients? How are you going to handle billing? These are the kinds of questions for which you must have answers, Finch said.
• Train people at all levels of your organization to recognize entry points for ransomware, and act sensibly. “All it takes is one sweet nursing assistant to click on a shopping link…,” said Hesse to open up the door to a potential cyberattack.
• Consider using the federal SAFETY Act to protect your organization from avoidable financial damages in the event of a cyberattack. Instituted after 9/11, the act treats a wide range of cyberattacks as “acts of terror.” An attack made for the possible financial gain or to sow chaos, as could occur in an attack on a healthcare operation, qualifies as an act of terror under this Act.
Under the Act, an organization can apply to the Department of Homeland Security for certification that it has a sound cybersecurity program. Obtaining such certification could mean that the organization would face a cap on damages in the event of a lawsuit, or immunity from such a suit. There are no costs associated with using the Act, said Finch. Also, it’s valuable to work with vendors who are SAFETY Act protected, he advised. That way, your organization can’t be held responsible for working with vendors who failed to protect patient data.