Don’t Let Ransomware Lead to a HIPAA Breach

Ransom notes aren’t just a fabled thing from television shows and movies. They happen in real life and they happen in the medical field. Of course, ransom demands of hospitals aren't typically messages from kidnappers pasted together out of old magazines. They’re cyber security threats known as ransomware, and they’re affecting healthcare organizations of every size.

Here’s a scenario that is increasingly common in hospitals today.

You have an employee that is clicking through emails. They notice what appears to be an email from Outlook 365, informing them that there has been a suspicious login attempt on their email account, and asking them to click on a link to reset their password. If they looked very closely, they might have noticed some suspicious signs, but phishing emails are getting more convincing every day. The employee, flustered and concerned, clicks the link without a second thought, and as a result, malware is covertly downloaded onto the device. On the other end of the screen a hacker was just handed the key to break into your hospital's network.

The hackers encrypt all of your data, blocking you and your employees from accessing it. They demand that you pay tens of thousands of dollars in Bitcoin to access your data, which includes your patient’s private information. They might even threaten to start posting that patient information online if you don't pay up soon. The hospital comes to a grinding halt, because providers can't access patient charts. Most Ransomware will trigger the breach notification rule. If the Office of Civil Rights finds that you failed to implement appropriate safeguards to prevent the breach, you're at risk of a large HIPAA penalty for failing to protect the integrity, availability, and confidentiality of your PHI. 

According to the HHS, there have been 4,000 daily ransomware attacks since 2016, which is a 300% increase from 2015. Because cybercriminals can now easily and cheaply purchase the tools to instigate a ransomware attack, organizations of all sizes are at risk.  Healthcare entities continue to be a popular target, in part because the extreme consequences of the data loss makes hackers believe that hospitals are more likely to pay a ransom to restore it, and in part because healthcare organizations still largely fail to take proper cyber security measures, making them an easy target.  

Thankfully, there are practical ways to protect your organization against ransomware attacks. The most important being to consistently train to all your employees to recognize cybersecurity threats, phishing scams. Another is to use spam filters to try and prevent phishing emails from entering your employees’ inbox in the first place. Make sure to have all your data backed up, and test those backups regularly. A back up ensures that if a ransomware attack occurs, you can restore your data and continue patient care.

To learn more on how to protect yourself from ransomware attacks and phishing scams, read this helpful article provided by the justice department: