Guidance on Ransomware Attacks

In July 2016 the Department of Health and Human Services Office of Civil Rights issued guidance intended to help healthcare entities understand and respond to ransomware attacks.

Ransomware is a type of malware that denies a user’s access to its electronic data by encrypting the data with a “key” known only to the perpetrating hacker.  

After the malware is deployed, the hacker demands that the user pay a ransom (often the request is made in cryptocurrency, such as Bitcoin, to preserve the hacker’s anonymity) to obtain the key and decrypt the data.  

However, there are no guarantees that once the ransom is paid will the hacker provide the necessary key.

According to the report issued, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).  

Doesn’t that seem incredible? Why would these people target businesses such as yours?  

Here are some thoughts:

• They know it’s where the money is
• They know that they can cause some major business disruption, which will put you in a very vulnerable position
• Because through the business their dirty deeds reach a more extensive system – networks of computers, and cloud-based systems may be impacted
• Because small business, especially healthcare providers, are often not well prepared to deal with these types of cyberattacks

Ransomware Checklist

After reading the HHS report, I set out to build a checklist that would help prevent this from happening to me and you.

Here it is:

1. Back-up your data and make sure it works!  
   
   Having a couple of backups may even be a good idea – using an external drive that is removed from your office and using a cloud-based back-up system.
   
   Side-note: Whatever backup system you may use for Protected Patient Information be sure it is HIPAA compliant and that it follows the security management process described in your policies.
   
   
2. Keep your computer operating system up to date.  
   
   New updates are issued often that contain fixes to security issues.  The same is true for the software you use – check for updates often.
   
   
3. Use extreme caution when you browse online. Know your sites and stay away from any pop-up ad campaigns.
   
   
4. Never open spam mail or mail from unknown senders.  
   
   If the subject line of the e-mail I receive is empty, or, if the e-mail looks even somewhat suspicious, it gets the “shift-delete” treatment.  It doesn’t even get a chance to reside in my trash bin.
   
   
5. Know your sources!
   
   Use caution when downloading files, opening files, or clicking on hyperlinks. If you ever do open a suspicious file by mistake, shut off your Internet connection.
   
   
6. Have security software installed and keep your subscription up to date. 
   
   One of the best ways to protect against a virus is to have defenses in place to ensure you never receive any in the first place.
   
   
7. Keep your system locked down when you are not using it and never share your password with another user.  
   
   And, I hate to say it – don’t keep your password on a sticky note placed on your computer (yes, I see this frequently).
   
   
8. Keep your employees’ privileges locked down on your network. 
   
   Make it difficult for them to do their online shopping, visiting unknown websites, or social media sites on your business computer.
   
   
9. Don’t let your children or grandchildren on your computer.
   
   I’m serious! Over the years I have tried to fix more computer problems as a result of kids’ games and files they download.  Give them their own gaming or computer system and keep them off your computer.
   
   
10. Don’t pay the ransom.
    
    Even if we follow the above checklist, it’s possible we could find ourselves subject to a cyber-criminal.  Paying the criminal only puts you in a position of being a repeat customer.

Conclusion

Computers have become an integral part of the way in which we do business today. 

I find myself being in a love, hate relationship. 

I love the efficiencies and conveniences they provide. But I hate the damage they can cause to relationships, work/family time, and our pocket-book. 

I’m probably not going to eliminate technology from my life any time soon.  In fact, my use will likely only increase with time – so, I guess it just makes sense to be smart in the way in which we use them. 

Hopefully, this checklist will help us both in making life with them just a little better and a little safer.