Ransomware. Even the name sounds ominous! With the Change Healthcare ransomware attack, you might have heard a lot about ransomware in the news lately. While the effects of the attack are wreaking havoc on the healthcare system, you might be wondering what this notorious ransomware is all about.
Well, you’ve come to the right place! We’re here to educate you on ransomware and how your practice or organization can be prepared for this cybercrime.
What is it, exactly?
Ransomware is a form of malware, or malicious software, that encrypts the files of a victim and requires a ransom to access files again. This is a very common way hackers infiltrate healthcare systems and over 4,000 ransomware attacks occur a day!
If you’re confused about how ransomware works, here’s a simple example:
Dan the Doctor was having an alright day, and then he got an email that went to his practice that he thought would turn it into the best day of his life! The email said he won 20 million dollars! All he had to do was click the link in the email to receive it. He clicked it as soon as possible, already dreaming of spending the rest of his life on the beaches of Hawaii.
Spoiler alert: his day was going to get a lot worse.
As he clicked the link, ransomware began its sinister magic: encrypting patients’ protected health information (PHI). He couldn’t believe what he did, putting his patients and his practice in jeopardy. Then, to get access to these files again, he had to pay thousands of dollars, or these files would be put online, putting his innocent patients even more at risk.
His dreams of Hawaii turned into a very hurt wallet and his patients at risk.
While you might think that could never happen to you: email scams, or phishing, are the most common way ransomware attacks are sent.
Our simple example is just a story, but it happens often in the healthcare field. For example, the most recent major cybercrime is the ongoing Change Healthcare ransomware attack, in which they paid 22 million dollars in ransom!
The OCR is also beginning to fine practices and organizations that do not take the proper precautions against ransomware attacks. The first ransomware attack fine was announced in October, costing the Business Associate (BA) $100,000 in HIPAA fines.
What do I do?
Now, while ransomware attacks have become extremely prevalent, with a 278% increase in ransomware breaches reported to the OCR, there are precautions you can take.
Working with an IT company is key for your practice or business, with prevention being the first line of defense. This includes things like encrypting your files, keeping all software up-to-date, having firewalls, antivirus and more.
Additionally, working with a compliance program like Abyde also lowers your risk. By identifying your vulnerabilities and enacting the right protocols, ransomware stands no match! For instance, password updating, proper data handling, access controls, and training, are all different barriers that help your practice or business.
Also, if your practice is infected by ransomware, do not pay the ransom, get the infected device offline and off the network, report the breach to the OCR, and get IT experts to investigate the attack.
To learn more about how your practice can stay compliant and secure against ransomware attacks, email us at info@abyde.com and schedule consultations for Covered Entities here, and Business Associates here.