Guidance on Ransom-ware Attacks

Top 10 List to Protecting Yourself from Ransomware

In July, 2016 the Department of Health and Human Services Office of Civil Rights issued guidance intended to help healthcare entities understand and respond to ransom-ware attacks.

ransom ware touchscreen is operated by businessman.

Ransom-ware is a type of malware that denies a user’s access to its electronic data by encrypting the data with a “key” known only to the perpetrating hacker.  After the malware is deployed, the hacker demands that the user pay a ransom (often the request is made in cryptocurrency, such as Bitcoin, to preserve the hacker’s anonymity) to obtain the key and decrypt the data.  However, there are no guarantees that once the ransom is paid will the hacker provide the necessary key.

According to the report issued, there have been 4,000 daily ransom-ware attacks since early 2016 (a 300% increase over the 1,000 daily ransom-ware attacks reported in 2015).  Doesn’t that seem incredible? Why would these people target businesses such as yours?  Here are some thoughts:

  • They know it’s where the money is
  • They know that they can cause some major business disruption, which will put you in a very vulnerable position
  • Because through the business their dirty deeds reach a more extensive system – networks of computers, and cloud-based systems may be impacted
  • Because small business, especially healthcare providers, are often not well prepared to deal with these types of cyber attacks

After reading the HHS report, I set out to build a checklist that would help prevent this from happening to me and you, my client.  Here is my “Top 10 List to Protecting Yourself from Ransom-ware”:

  1. Back-up your data and make sure it works!  Having a couple of backups may even be a good idea – using an external drive that is removed from your office and using a cloud-based back-up system.  Side-note: Whatever backup system you may use for Protected Patient Information be sure it is HIPAA compliant and that it follows security management process described in your policies.
  2. Keep your computer operating system up to date.  New updates are issued often that contain fixes to security issues.  The same is true for the software you use – check for updates often.
  3. Use extreme caution when you are on-line and using the Internet.  Know your sites and stay away from any pop-up ad campaigns.
  4. Never open spam mail or mail from unknown senders.  If the subject line of the e-mail I receive is empty, or, if the e-mail looks even somewhat suspicious, it gets the “shift-delete” treatment.  It doesn’t even get a chance to reside in my trash bin.
  5. Use caution when downloading files, opening files, or clicking on hyperlinks – know your sources!  If you ever do open a suspicious file by mistake, shut off your Internet connection.
  6. Have security software installed and keep your subscription up to date.  One the best ways to protect against a virus is to have defenses in place to ensure you never receive any in the first place.
  7. Keep your system locked down when you are not using it and never share your password with another user.  And, I hate to say it – don’t keep your password on a sticky note placed on your computer (yes, I see this frequently).
  8. Keep your employees privileges locked down on your network.  Make it difficult for them to do their on-line shopping, visiting unknown websites, or social media sites on your business computer.
  9. Don’t let your children or grandchildren on your computer – I’m serious! Over the years I have tried to fix more computer problems as a result of kids games and files they download.  Give them their own gaming or computer system and keep them off your computer.
  10. Don’t pay the ransom. Even if we follow the above checklist, it’s possible we could find ourselves subject to a cyber-criminal.  Paying the criminal only puts you in a position of being a repeat customer.

Computers have become an integral part of the way in which we do business today.  I find myself being in a love, hate relationship.  I love the efficiencies and conveniences they provide.   I hate the damage they can cause to relationships, work / family time, and our pocket-book.  I’m probably not going to eliminate technology from my life any time soon.  In fact, my use will likely only increase with time – so, I guess it just makes sense to be smart in the way in which we use them.  Hopefully, this checklist will help us both in making life with them just a little better and little safer.

If you are interested in receiving a copy of the HHS report,  go to for a pdf copy.

Mike DeVries is a CERTIFIED FINANCIAL PLANNER ™, Enrolled Agent,  and a Certified Healthcare Business Consultant focusing on helping healthcare professionals. If you would like to learn more about becoming a client, contact Mike at

Don’t be Fooled by Fake IRS Communications

5 things you should know about phishing scams

Be aware that fraudsters are trying everything they can to obtain your personal or business financial information.  I received a call from a doctor client who indicated that she received an e-mail from the IRS stating that they were due a refund for taxes paid.  The e-mail looks legitimate as even indicates an official looking reply to address –  The body of the email states the following:

Phishing Scam Warning Sign

Business Intelligence – Using Your Data to Manage Your Practice [Podcast]


Episode 011

Doctors Business Management Show


In this episode, Mike DeVries & his guest, Nate Moore, discuss Using Business Intelligence. Using data from your Medical Practice to Manage Your Business Better. The YouTube Video below is a video recording of the show in which you can see the example reports that were discussed during the show.

If you Like the Show, Encourage Us with Your Support

Is Your Business Social?

About 15 years ago my oldest children were asking for social media accounts.  Like many parents, it was then that  I decided I had to get an account of my own to follow what they were doing.  As I watched them and their friends grow up with these resources, I realized that I would need to stay on top of this type of communication if I wanted to work with and be helpful to my future clients.  It seems so much simpler to make a phone call and have a conversation with someone instead of fat fingering little buttons to send a message, but I’m certain that the Millennial generation would have a different perspective.  Sending a text message usually solicits a quicker response with them – it does with my kids; especially when the text is “Do you need money?”.

Importance of using Technology

I recently came across this table of information and found it to be very interesting.  It speaks to the way in which generations are embracing various segments of social media.  As you move from the right column to the left, you can see generations going from dabbling to exploration to full immersion into the various social activities. Businesses are also becoming more “social”, but I suspect that most healthcare practices would still be classified as being in the dabbling category.  Doctors that get on board and learn how to best use social media to communicate with their patients will stand-out above their competition.

Dr. David Geier, an Orthopedic Surgeon and Sport Medicine Specialist from North Carolina, is an example of a physician that is standing above the crowd by engaging an audience and his patient base in Podcasts that he produces about various sports and resulting injuries.  I had the pleasure of meeting and visiting with David at a recent conference that we were both attending.  It is obvious that he has a passion for his profession and is using his pioneering spirit to take his practice and business social.

Not every doctor will invest the amount of time that takes to do what Dr. Geier does, but that doesn’t mean that your practice isn’t or can’t start to be more social.  Start with the basics – simply begin gathering patient e-mail addresses and cell phone numbers.  I’m amazed at how often this aspect of business management is overlooked.  The practice management systems that are employed almost always have the fields available for this data, but the person at the front desk is not charged with the responsibility of obtaining the information.  If you aren’t doing it now, I would suggest that you diligently work at asking for this information from your patient base.  Assign a champion within your office with this task and make a game out of it – oh, and do keep score daily.

Software, such as Demand Force or SikkaSoft’s Patient Home Page are just a couple of examples of tools that I see being used within healthcare practices to communicate with patients via e-mail and text messaging services.  Having a secure patient portal that allows your patients to check their schedule, pay the balance of  their account, or communicate with you in some way are great resources for your patients and will make your business more assessable.   A friend of my daughter’s once said to me, “If I can’t deal with the company on-line, see what they offer, communicate with them, and pay my bill with them – on the computer, I will find a different company with whom to work.”  While I would hope that customer service and the quality of the service would enter into the purchasing decisions of a younger generation, I’m becoming more aware that making your business social is something they value.

My friend, Jim Munchbach, who is the author and producer of says, “Big Business. Small Business. Show Business. Micro Business. It’s all Social Business. But don’t worry if you aren’t totally there – start where you are today and then simply take the next step.”

How are you currently using Social Media in your Practice?  Or, in what ways do you plan on using it in the future? (To Reply, Click Here)

Mike DeVries is a CERTIFIED FINANCIAL PLANNER ™ and a Certified Healthcare Business Consultant focusing on helping healthcare professionals. If you would like to learn more about becoming a client of Mike’s, contact him at

CMS Launches EHR Incentive Programs Website

The Centers for Medicare & Medicaid Services (CMS) has launched its official website for the Medicare & Medicaid EHR incentive programs.

CMS said its EHR incentive program website is for providers that are seeking to learn about who is eligible for the programs, how to register, the definition of meaningful use, as well as upcoming EHR training and events.

To Access the CMS Website – Click Here