Ransomware attacks happen when malware infiltrates your computer systems and locks your access to files by encrypting them. Once your files are encrypted, the attacker responsible for sending the ransomware out into the world demands a ransom be paid before releasing your data. In healthcare, a ransomware attack constitutes a privacy breach. Several clinics in Calgary have already fallen victim to ransomware. Even though some paid the ransom, their files were destroyed by the encryption process the attackers used. The good news is, you can prevent ransomware attacks.
It’s big business. Attacks are increasingly prevalent, growing by 35% year over year. The FBI says ransomware attacks in the U.S. cost $209-million in the first three months of 2016; and that’s just reported attacks. After the University of Calgary paid a ransom of $20,000 in June of 2016 to reclaim control of 9,000 ransomed email accounts, Calgary police reported that ransomware attackers around the world are earning $100,000 to $200,000 per day.
Ransomware enters your system in a number of different ways, usually as an attachment or an accidentally downloaded file. Email is one common entry point, as are pop-ups on the Internet that encourage or force a click that triggers the infiltration. These malicious files can sit dormant on your system for months or even years, making their origin very difficult to track.
Step one in prevention is educating staff.
No one should ever open links, attachments or suspicious links in emails from someone they don’t know. Emails from people they do know can also contain these links. The first major computer virus spread as part of an image download. Emails from contacts that read something along the lines of “You’ll love this” with a link, are excellent candidates for the delete button.
Good Internet hygiene is crucial. Keep those pop-up blockers on, and never click links you aren’t sure of. Some clinics even go as far as restricting the kind of websites accessible from the clinic network.
Passwords are critical to protecting your files.
Everyone needs their own login to systems containing patient info be compliant, so no sharing usernames and passwords. Individual passwords should be long at 12 to 15 characters, and complex including upper and lower case as well as numbers and special characters like #$%^& (but length beats complexity). Wired reports that you need to stop using standard or basic passwords like ‘password1’, ‘12345’, or ‘Qwerty’. Also make sure to change defaults and don’t use full words from the dictionary, and steer clear of simple patterns or incremental numbers.
Further, Wired’s interview with security experts says you should spread special characters through passwords instead of clumping them at the end. Creating a unique password for each different login is a great idea, although it might seem like a pain it’s nowhere near as bad as scrambling to recover from a ransomware attack. Read the full wired article for more great advice.
Step two is to ensure security measures are up to date.
Hackers are always looking for new ways in through anti-virus protection software. While software companies continually test and improve their security, sometimes, the black hats win - at least for a little while. As soon as an entry point is discovered, updates are released to patch the hole and block attacks. Always maintain the latest version of all clinic software, it is the most secure and regularly scan for viruses.
Step three is to back up back up back up.
Ransomware attacks are only a problem if they lock up data you don’t have securely stored anywhere else. Regularly back up all of your files. In the event of a ransomware attack, you can more easily recover, and avoid paying the ransom if you have an up to date backup (backup daily - make it part of your process). Keep your back up somewhere off your network, like an external hard drive that gets unplugged and locked up at night.
Step four is communications lockdown.
Eliminating the use of standard email in your clinic will remove a majority of the way ransomware gets in. That doesn’t mean you have to give up digital communications, you need to implement something stronger than email.
Brightsquid Secure-Mail and Secure Health Exchange are closed systems. Spammers aren’t allowed in, so no one can just type random email addresses in hopes they get a real inbox with a human clicking links on the other end. People on our system are verified healthcare professionals or identity authenticated patients. And we scrub messages for malicious content like links and attachments. We don’t allow executable files such as ransomware viruses to be uploaded to our system - so they can’t get to you.
What that means is that exclusively using a secure communication service like Brightsquid that blocks malicious files and phishing scams can keep ransomware from getting in. We have clinics that refuse communication in any other format just for that reason, they’re serious about keeping their system clean.
All of these steps are, of course, best practices. Beyond that, some are actually regulatory requirements. Creating policies and procedures in line with your regulatory responsibilities does more than just protect you from fines, those rules are in place because they do, in fact, protect your patients and your clinic from the growing criminal threat on the internet.