Ransomware - Is Your Practice Vulnerable?

Aug 10, 2016 at 04:03 pm by Staff


Ransomeware, Cryptolocker, Cryptowall, whatever you call it, is costing medical practices and hospitals lots of money in ransom actually paid, lost time in dealing with the issue and in some cases denied access to critical records when they are most needed.

What is it?

Ransomware is malware (malicious software and comes from the Internet) that infects a computer and then encrypts files (makes them unreadable) until victims pay ransom to have them unlocked. Usually, hackers target individuals for $300 to $400 each, but more and more doctor's offices and medical facilities have been hit as well. There is only one way to get your data back without paying which we will discuss later.

One of the most extreme cases of this took place in February, when Hollywood Presbyterian Medical Center handed over $17,000 to hackers who took over its systems. Since then, two other hospitals in California, as well as in Kentucky and Maryland, were also hit. By the end of this year it is predicted that over 1 billion will be paid to hackers in these schemes. The ransom is usually paid in Bitcoin, an online only currency, that is virtually untraceable.

Why is this happening?

While ransomware isn't new, it was rare in the past for hospitals and doctors' offices to be targeted. It is mostly happening because it is working. All types of businesses have been hit and the ransom is usually pretty low because the hackers know if they want to get paid they need to make it somewhat affordable. Since several high profile cases like the one listed above have hit the news, the attacks have increased.

What can I do to protect myself?

First and foremost - educate your employees! The Hospital listed above was hit when one employee clicked on one attachment to an email that infected their machine. Most infections come when an employee clicks on an attachment, a link in an email, or a pop-up that shows up on their machine. Do not give employees email that do not need it and have an enforceable policy they should not be checking personal email (or social media accounts) on office provided machines.

Don't ever open an attachment to an email unless it is something you were expecting. Hackers can send email from someone else's PC that looks very valid. If you are unsure whether something is valid, call the person and ask if they meant to send it to you.

A common email that contains malicious attachments that we have seen is titled "your practice name - Invoice APR000192957". It appears to have an innocent PDF or Word document attached, but it is actually a virus laden file that will infect your PC. Once the encryption starts, it cannot be removed without an unlocking key - only available after you pay the ransom.

Also, have good backups and work with a good IT company. This cannot be overstated. Once the data is encrypted, the only way to get it back is to pay the ransom and get an unlocking key or to have your IT company restore (overwrite) your data from your most current backup.

At our company we install "constant" backup systems. They backup the data changed on your servers every 15 minutes. This way, in case your data gets encrypted, you would only lose 15 to 30 minutes worth of input. If you realize at 3:45 you have been infected, then we can restore all data to the way it was at 3:30. If you have a typical backup system, you would have to restore from the "night before." While that is not bad at 10:00 in the morning, it is really bad at 5:00 in the afternoon.

Make sure all your PCs and Servers are constantly being patched. This means that operating system patches are being applied to your systems as soon as they are published. Often PCs or servers that have been infected are not patched regularly.

How do you know if you are being patched? Have your IT company provide you with a monthly report that proves they are patching your machines regularly. They should also provide you with a report of all Internet activity through your firewall.

A good firewall report can show you all activity from each user on the Internet as well as how the firewall is working to prevent intrusions into your network - which is the most important reason to have a firewall. If you are not getting a report like this from your internal IT person or your outsourced IT company, then you should ask for it. All commercial grade firewalls have the ability to produce these types of reports.

In the end, it falls on you to make sure cybersecurity is a priority in your practice. Take a hard look at your security and take these threats seriously. With the rise in cybercrime this is not a risk you can ignore anymore.

Tim Taylor is the founder and President of TaylorWorks, Inc., a managed IT services provider in Central Florida. For over 15 years Tim's team has worked with hundreds of medical practices and businesses with their IT and HIPAA compliance needs. Tim can be reached at ttaylor@taylorworks.com.