In the digital practice—where sensitive business and patient information is stored electronically—ransomware is one of the most devastating forms of malware. It works by encrypting or blocking access to sensitive files and demanding payment to restore access. If the attack is successful, it is nearly impossible to recover the data without paying the ransom, and even paying it does not guarantee restoration of access. The loss to a healthcare practice—and its patients if medical records access is blocked—could be devastating.
In 2022, the FBI’s Internet Crime Complaint Center (IC3) reported receiving 870 complaints of ransomware attacks from organizations in a critical infrastructure sector. The healthcare and public health sector accounted for 210 of those attacks—nearly one quarter of all reported attacks.
Adding to the difficulty for healthcare organizations, a ransomware attack on PHI (protected health information) that is unsecured or that is encrypted and controlled by the attacker usually results in a “breach” under the HIPAA Breach Notification Rule.
Organizations who are victims of a successful attack often have limited options, including:
- Losing mission-critical information and digital files if there’s no backup available
- Paying a large ransom to restore access to the files
Employee Security Awareness is Essential
Ransomware attacks often begin when unwitting individuals are induced through phishing emails or social engineering to click on malicious links that infect their computers. While IT staff can deploy measures to protect systems from attack (such as anti-virus software, spam filters, and ad blockers), employees using company computers to access sensitive data are a critical part of any security effort.
All employees should learn ways to avoid these attacks. The following tips can help. They may even be part of the employee handbook or company policies. If you are suspicious of a potential attack, contact your IT staff:
- Do not access company information (such as documents or email) on unauthorized devices. Check with IT staff before using your personal mobile devices or computers for business.
- Be wary of unexpected emails with attachments or links, even if they appear to be from someone you know. Criminal hackers can disguise email addresses and other information in subtle ways to avoid detection. If you are not expecting a file or link from someone, call or text the sender to verify the email or contact IT.
- Do not install unauthorized software, including applications, toolbars or extensions. Malware often poses as legitimate programs like games, tools, and even antivirus software. Check with IT before installing anything.
- Do not respond to emails requesting passwords or confidential information. These are almost always scams. Bad guys are successful because they are convincing, and neither IT staff nor legitimate businesses should ever ask for your password. Report any suspicious requests to IT.
With these simple precautions, employees can go from being the easiest point of attack to the first line of defense in securing the digital practice.