You can’t browse the internet or watch TV without hearing about ransomware wreaking havoc on personal and business computers. The reality is, Ransomware can hit any size practice at any moment. Dental offices all over the country are constantly being hit by these attacks due to the value of the data on the network.
Most ransomware attacks are debilitating and often cause the total destruction of data on your workstations, laptops and servers. Ransomware is typically spread via Phishing emails in which employees are tricked into clicking on a link or opening an attachment. These Phishing emails often appear to originate from a trusted entity and are so convincing, that an untrained individual is likely to fall for the scam. Ransomware can hide in PDF, Microsoft Word and Office documents. The more advanced threats present themselves as legitimate emails from employees within your organization and if an employee clicks on a link or opens a document, the Ransomware bypasses your firewall and anti-virus software and injects code into your computer. This code then encrypts almost every file on your computer and then worms its way through your network and does the same to every other computer and server. If you have multiple office locations connected via a VPN, it will infect those offices as well. With encryption being so complex and hard to crack, there is typically no remedy besides erasing the contents of your hard drives and reinstalling everything. Even with online backups, the process of bringing your network and data back online is a complex task and will most likely cause you to have to close your office for days.
Law enforcement has almost no capacity to help you and will advise you not to pay the ransom. Hackers will ask anywhere from a few thousand dollars to hundreds of thousands of dollars depending on the value of the data. If you pay the ransom, which is usually requested in some form of gift card or virtual currency such as Bitcoin, there are no guarantees that you will get your data back.
Now let’s take a look at the HIPAA Security rule which talks about protecting PHI in the event of a disaster or data compromise. It is the responsibility of the practice to implement procedures and protocols to protect PHI from data loss (such as flooding) and data theft (such as hacking and ransomware). What most practices don’t realize is that firewalls and anti-virus software are now considered to be the most basic forms of protection and with the ever evolving ransomware technology, they are easily defeated. One must also realize that 50% of ransomware attacks are inadvertently initiated by a member of your team by downloading, clicking or installing something. Training your staff on Cyber Security threats is not only the industry standard, but required by law under the HIPAA Security rule.
The reality is that many practices are getting hit and you may not be hearing about them because practices fear the PR backlash. In the event that your data is compromised, don’t forget that you may be required to report the breach to Health and Human Services who will most likely open an investigation and publish your practice name to their “Wall of Shame,” which is a public website listing all the practices who are under investigation, who have lost PHI or have been found in violation of the HIPAA regulations.
So what can you do? You can minimize your exposure by taking a multi-layered approach to cyber security. This approach includes anti-virus, firewalls, cyber security training for your staff, network vulnerability scanning and penetration testing (ethical hacking). Vulnerability scanning is a method in which an advanced piece of software or hardware checks every computer on your network for out of date software, virus protection or unpatched computers and reports back to the security company so your IT company can remediate the problem. By implementing all of these layers of security, you can help minimize the chances of falling victim to a data breach or ransomware. If you talk to any practice that has been hit, they all say the same thing. It is one of the worst experience a practice can go through. Not knowing whether PHI was stolen and not having access to patient records is extremely debilitating to your staff and practice. It also causes a distrust with your patients and referrals, not to mention the severe financial hardships incurred to remediate. A small to medium practice can incur legal and IT fees in excess of $500,000 and most insurance policies cover little to none of this expense.
You can no longer be passive about your cyber security and just pretend that you won’t fall victim to an attack because you think and feel “hackers won’t target my practice since they have bigger things to go after.” The reality is, it’s not if it’s when, and hackers are realizing that the medium and large organizations are fortifying their defenses, while the smaller practices are pretty much open targets. The cyber security world is a game of cat and mouse and the monetary value hackers place on your data is extremely high. Complete records with Name, DOB, address and SS#s provides the perfect platform for identity theft and increases the price tag of your data.
So how can Black Talon Security help secure your practice? We specialize in cyber security training, network vulnerability scanning, penetration testing and work in conjunction with your IT company to harden your security posture. IT companies are great at setting up and supporting your network, but they do not specialize in security. It is also critical to have a 3rd party validate the security put in place by your IT company and suggest additional measures to harden your posture.
It is time to take a hard look at your security posture and realize that without one, your practice and everything you have worked so hard to achieve can be compromised.