Hackers target healthcare facilities of every size because they know that health care is riddled with obsolete defenses, out-of-date IT infrastructure, and unsophisticated IT support, says ASCRS 2018 presenter Rob Campbell, MSc, senior cryptologist and cybersecurity expert. As daunting as these attacks are, knowing what to do and what not to do can make all the difference in whether your practice survives a ransomware attack. Here’s how to defend yourself.
Get Smart About Ransomware
Education is the most effective defense. A “lack of awareness of healthcare managers regarding the sophistication of hackers” puts many practices at risk, say Campbell and co-presenter Renee Bouvelle, MD. Learn about the latest ways hackers are targeting medical practices, and familiarize your staff with the signs of ransomware:
- inability to open files
- any message about how to pay ransomware
- messages stating ‘you have limited time to pay or your files will be deleted’
- a window opening to a suspicious program that you can’t close,
Don’t Skimp on Training
Minimize your risk for a ransomware attack by putting in the time and effort to conduct security risk assessments. Hire an outside firm or healthcare security data expert to evaluate the safety of your system each year. “You have to do something else in addition” to endpoint security, says Campbell. “This is not something that your EHR takes care of. This is not a checklist,” he warns. Don’t skip or shortcut HIPAA/HITECH training, developing and updating HIPAA policies and procedures, or skip developing an “emergency contingency plan.” If you haven’t paid attention to these things, and a breach does occur, “you can expect a lot more ‘help’ from the government,” Campbell notes.
Keep Your Protection Current
Just like you protect your eyes from the sun with the best UV-blocking sunglasses, you need to protect your IT system with the best anti-virus and anti-malware programs available. It is common to forget or avoid software updates—they can be inconvenient and let’s face it, you have more pressing things to do. But by keeping updated and upgrading when necessary, you decrease the risk of a breach that looks for known vulnerabilities in outdated versions of those programs. Your IT professional can guide you to make sure you have the right software for your system.
Build Your Team
As tempting as it may be to watch your bottom line by hiring a general “IT guy” or even a family friend to take charge of your IT department—don’t. “Don’t hire your cousin’s brother-in-law on your mother’s side or an IT company that is not trained and skilled in HIPAA, ransomware and digital forensics,” warns Campbell. That’s like seeing a general surgeon to remove a brain tumor, he says. The right IT professional can even conduct a “penetration test: ” They act as a hacker would in order to determine exactly how vulnerable your infrastructure is to a real attack.
Tip: Protect your operational network—the one your staff uses for business—by creating a separate guest network for your patients and visitors. Never allow a patient or guest to access your operational network. If their personal mobile device is connected to your router, that’s a possible entry point for ransomware.
Working remotely? RDP (Remote Desktop Protocol) is a number one way hackers get in, reports Campbell. Always make sure you are using a secured network. The wi-fi at places like airports and coffee shops may not be secure. Those are very high risk places, emphasizes Campbell.
Discovered you’ve become the victim of a ransomware attack? Don’t panic. Instead, do these three things, Campbell advises:
- Disconnect the infected machine from the network
- Notify your compliance officer
- Contact your IT specialist to conduct a forensic audit.