Ransomware continues to impact the dental community. We have seen the types of attacks escalated from individual practices; to attacks through the providers of IT Services. In most cases these attacks are for extortion purposes, but hackers are getting frustrated with the failure of these attacks to result in income for them. So, they are upping their attacks.
Recently several companies were attacked and did not pay the ransom for various reasons. They thought they were in the clear, but wait, the hackers created a website with a “list” of all the companies that failed to pay. The “list” also contained several files from Microsoft Office including Word files and PDF files. This makes the incident a “data breach”.
A breach under the Health Insurance Privacy and Portability Act Omnibus Rule of 2013 means the acquisition, access use, or disclosure of protected health information in a manner which compromises the security or privacy of the protected health information. Practices are required to conduct an investigation to determine if any information was “viewed or exfiltrated” and that there is a low probability that data was compromised which could impact the security or privacy of their patients. A forensic investigation is required to determine if data was “viewed or exfiltrated” is required to determine how the attack occurred and what processes were involved. And most importantly, if information was viewed or worse taken.
The fact that attacks may result in documents containing protected health information showing up on a hacker’s websites means that practices need to be proactive in their response to these attacks. The time to plan for this type of event is now. Planning ahead of time can minimize the impact that these attacks can have to the financial stability of the practice and their reputation. So, what steps can a practice take now to prepare.
DISASTER PLAN: Every practice should have a written plan to respond to a cyber attack as well as other potential disasters that could impact a practice. This plan should detail how to respond and most importantly how to recover from a disaster including a cyber-attack.
RISK ANALYSIS: Conduct a risk analysis which can identify potential risk that could adversely impact the practice.
TRAINING: Security Awareness Training for all team members on your practices security policies. Teams should be educated on how phishing emails, spam, other potentially malicious software can result in an incident. Teams should also be trained on how to respond to an incident.
BEST PRACTICES: Use multifactor authentication especially on email accounts and MS Office, restrictions on user privileges, patching applications and operating system, whitelist applications and devices, and monitoring all network activity, and BACK UP, BACK UP, BACK UP.
When a cyber incident occurs, it is important not to panic, but to refer to your disaster plan. Be prepared that you may or may not be able to have assistance from your IT partner. Create a response team. Navigating through a ransomware attack can be emotionally straining. Having a plan to quickly respond is critical and enables a quicker recovery time and reduces stress.
Ransomware attacks will continue, and hackers have shown they are stepping up their game. This means practices must step up theirs to stay of the hacker’s list.