Steps to Avert Ransomware at Your Medical Practice

April 13, 2016

No matter how small your practice is, it's important to put technical and human safeguards in place now to protect your data.

Warnings from government agencies and dramatic reports of hospitals grinding to a halt from ransomware attacks have splashed across the news recently. Medical practices prove an attractive target for ransomware, due both to their reliance on relatively new IT systems such as EHRs and the often life-and-death urgency of healthcare services.  No matter what size your practice, it's important to do what you can to avoid having your data taken hostage and being forced to consider paying ransomware criminals.

Ransomware combines three technologies: phishing, virtually unbreakable encryption, and the Bitcoin crypto-currency. It works by using phishing to infect your computers, encryption to lock up your data with a "key" known only to the bad guys, and the untraceable Bitcoin electronic currency. That's the ransomware business model; it's a terrifying prospect for any practice.

The first part of the equation, phishing, is surprisingly low tech: no Mission Impossible-style hackers, grappling hooks, or crawling through conduits. It works by tricking someone in your practice to let the criminals in to your data system - usually through opening a misleading email attachment or clicking a cleverly disguised link. This will put the ransomware program on a computer in your practice, which will then search out all the data it can reach on your network and encrypt it with a key known only to the bad guy. And, of course, it will notify the practice that the key can be obtained - for a price.

There are practical steps that even a small or medium-sized practice can take to avoid this. These include strategies focusing on technical safeguards and working with your staff. And, whether you have in-house IT or outsource IT, you need to ensure a focus that includes both strategies. You don't have to understand all the technical details to be able to ask good questions - and your IT staff should have good answers. Here are some specific steps to take:

Technical safeguards

1. Ensure IT systems are designed to provide "least-necessary access" to data - every staff member should have the amount of access necessary to do their job, but no more. Talk with your IT people about how this is reflected in your systems.

2. Ensure consistent and up-to-date backups of all important data - and make sure they're isolated from everyday users (so the backups aren't encrypted by the ransomware!) Ensure IT is testing its ability to restore the backup copies, so they'll be there when needed. After all, would you rather create new copies of your data, or pay whatever ransom is demanded?

3. Ensure software patches are in place and updated. Automatic installation of software updates and patches can eliminate the security vulnerabilities ransomware exploits to gain access to your data.

4. Ensure your security software is in place and updated. Increasingly, protection against ransomware is being added to these software packages. BitDefender has even released a free Ransomware "vaccine" that blocks ransomware from installing by tricking it into thinking the computer is already infected.

Human safeguards

1. Provide your staff training to help them recognize suspicious emails, and to let them know that they should not open attachments or click on links to websites contained in emails. Help them to understand the techniques used to trick them into accidentally running ransomware or malware on the practice's computer network. For example, often ransomware will be inside an email identifying the attachment as something innocuous like an overdue invoice, etc.

2. Train staff on what they should do if they see an email that looks suspicious - whether that's deleting it or reporting it to IT or administration. Even if it's not malware or ransomware, thank them for checking it out first.

3. Ensure that IT takes the same helpful and nonjudgmental attitude with staff that your medical team takes with patients reporting problems. If it turns out to be not a problem, ITs response should be, "Thanks for letting me know about this - truthfully I prefer the two-minute problems to the ones that take hours or days to fix."

4. Ensure that IT communicates with staff quickly and positively when a problem is identified. If one person received a ransomware email, chances are others might have as well. "We want to thank Jane Scott for alerting IT staff to a ransomware email - please delete it without opening if you receive it too." Remember, if staff are afraid to report a problem, IT will spend a lot of unnecessary time trying to find the source of the ransomware infection - if they don't, the files restored from backup copies will be encrypted too!

5. Administrators shouldn't make this "ITs problem." Your IT people need to plan and have systems in place, but ultimately they aren't responsible for your practice's business. Make ransomware a part of your risk management and business continuity plan and create clear expectations for how administration will be notified and involved in decisions - such as how much system downtime is acceptable and how decisions to pay a ransom to retrieve practice data will be made.

No single solution will provide a silver bullet against ransomware, but you can mount an effective defense even if you don't have a hospital-sized IT staff and budget. The most important thing to understand is that you need to act before ransomware encrypts your data. As always, prevention is the best medicine.

Stephen McCallister, CPHIT, is a health IT consultant with over 20 years' experience managing technology for healthcare organizations. As chief information officer, he planned and implemented IT systems for multiple practice mergers and served as HIPAA Security Officer. He can be reached at steve.mccallister@frontier.com.