In July, 2016 the Department of Health and Human Services Office of Civil Rights issued guidance intended to help healthcare entities understand and respond to ransom-ware attacks.
Ransom-ware is a type of malware that denies a user’s access to its electronic data by encrypting the data with a “key” known only to the perpetrating hacker. After the malware is deployed, the hacker demands that the user pay a ransom (often the request is made in cryptocurrency, such as Bitcoin, to preserve the hacker’s anonymity) to obtain the key and decrypt the data. However, there are no guarantees that once the ransom is paid will the hacker provide the necessary key.
According to the report issued, there have been 4,000 daily ransom-ware attacks since early 2016 (a 300% increase over the 1,000 daily ransom-ware attacks reported in 2015). Doesn’t that seem incredible? Why would these people target businesses such as yours? Here are some thoughts:
- They know it’s where the money is
- They know that they can cause some major business disruption, which will put you in a very vulnerable position
- Because through the business their dirty deeds reach a more extensive system – networks of computers, and cloud-based systems may be impacted
- Because small business, especially healthcare providers, are often not well prepared to deal with these types of cyber attacks
After reading the HHS report, I set out to build a checklist that would help prevent this from happening to me and you, my client. Here is my “Top 10 List to Protecting Yourself from Ransom-ware”:
- Back-up your data and make sure it works! Having a couple of backups may even be a good idea – using an external drive that is removed from your office and using a cloud-based back-up system. Side-note: Whatever backup system you may use for Protected Patient Information be sure it is HIPAA compliant and that it follows security management process described in your policies.
- Keep your computer operating system up to date. New updates are issued often that contain fixes to security issues. The same is true for the software you use – check for updates often.
- Use extreme caution when you are on-line and using the Internet. Know your sites and stay away from any pop-up ad campaigns.
- Never open spam mail or mail from unknown senders. If the subject line of the e-mail I receive is empty, or, if the e-mail looks even somewhat suspicious, it gets the “shift-delete” treatment. It doesn’t even get a chance to reside in my trash bin.
- Use caution when downloading files, opening files, or clicking on hyperlinks – know your sources! If you ever do open a suspicious file by mistake, shut off your Internet connection.
- Have security software installed and keep your subscription up to date. One the best ways to protect against a virus is to have defenses in place to ensure you never receive any in the first place.
- Keep your system locked down when you are not using it and never share your password with another user. And, I hate to say it – don’t keep your password on a sticky note placed on your computer (yes, I see this frequently).
- Keep your employees privileges locked down on your network. Make it difficult for them to do their on-line shopping, visiting unknown websites, or social media sites on your business computer.
- Don’t let your children or grandchildren on your computer – I’m serious! Over the years I have tried to fix more computer problems as a result of kids games and files they download. Give them their own gaming or computer system and keep them off your computer.
- Don’t pay the ransom. Even if we follow the above checklist, it’s possible we could find ourselves subject to a cyber-criminal. Paying the criminal only puts you in a position of being a repeat customer.
Computers have become an integral part of the way in which we do business today. I find myself being in a love, hate relationship. I love the efficiencies and conveniences they provide. I hate the damage they can cause to relationships, work / family time, and our pocket-book. I’m probably not going to eliminate technology from my life any time soon. In fact, my use will likely only increase with time – so, I guess it just makes sense to be smart in the way in which we use them. Hopefully, this checklist will help us both in making life with them just a little better and little safer.
If you are interested in receiving a copy of the HHS report, go to http://mikeldevries.com/HHSReport for a pdf copy.
Mike DeVries is a CERTIFIED FINANCIAL PLANNER ™, Enrolled Agent, and a Certified Healthcare Business Consultant focusing on helping healthcare professionals. If you would like to learn more about becoming a client, contact Mike at www.vmde.com.