By Peter J. Cass, OD
July 28, 2021
Ransomware attacks have been in the news lately, including a cyberattack on a large Iowa eye clinic that may have exposed 500,000 patient records after a demand for ransom was not paid, and a Luxottica data breach last year that impacted 829,454 patients. Here is what you should know about ransomware attacks, including how to prevent them from happening.
What is “Ransomware?”
Ransomware amounts to an electronic kidnapping of your computer or network. It is a type of malicious software that infects a computer and locks the user from accessing data or threatens to publish the victim’s data unless a ransom is paid. Malware does this by encrypting the victim’s files, making them inaccessible, and then demanding a ransom payment to decrypt them.
The ransomware then tries to spread itself across the victim’s network. The hackers who deployed the ransomware typically demand payment for each of the victim’s affected computers before agreeing to restore the victim’s access to their data.
What Do I Do If My Practice Is Attacked By Ransomware?
Doctors should immediately activate their security incident response plan, which should include measures to isolate the affected computer systems in order to stop the attack. This plan should be put in place beforehand as part of a full HIPAA compliance program. The Department of Health and Human Services (HHS) recommends also contacting the local FBI or United States Secret Service field office as they can pursue cyber-criminals globally and can often assist victims of cyber-crime.
Once the ransomware is detected, doctors should:
• Determine the scope of the incident to identify what networks, systems or applications are affected.
• Determine the origination of the incident (who/what/where/when).
• Determine whether the incident is finished, is ongoing or has spread through their network.
• Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).
After getting a better understanding of the effects of the attack, the next steps should include:
• Contain the affected systems and stop the spread of the ransomware.
• Eradicate the instances of ransomware and mitigate or remediate the vulnerabilities that allowed the ransomware attack.
• Restore data lost during the attack so that the business can return to normal operations.
It is also extremely important to assess whether there was a breach of Protected Health Information (PHI) as a result of the security incident. The presence of ransomware (or any malware) is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule.
What Obligations Do I have to My Patients & Practice Following a Ransomware Attack?
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth by HHS, a breach of PHI is presumed to have occurred. The office must then notify affected individuals, the Secretary of HHS and the media (for breaches affecting over 500 individuals). For more information on this, see 45 C.F.R. 164.400-414.
How Much Will a Ransomware Attack Cost Me?
The legal implications of ransomware attacks are still up for debate, and there is no simple answer to the question of how ransomware victims can, or should, deal with an attack. But practices could have significant costs related to:
• Paying regulatory fines and penalties.
• Loss of income from downtime or patients who leave the practice.
• Hiring information technology (IT) experts to find and fix the breach.
• Hiring a call center to handle inquiries from patients.
• Hiring a public relations firm to deal with bad publicity.
• Hiring attorneys to represent the practice.
• Paying a ransom to free hijacked data.
Conduct Security Risk Analysis
How Do I Prevent a Ransomware Attack from Happening?
• Education – All staff members must be educated about the risks of ransomware, e-mail and social media.
• Perform a security risk analysis – Practice must conduct and document a Security Risk Analysis as part of HIPAA compliance.
• Utilize secure electronic communications with patients such as EHR ports, secure messaging or encrypted e-mails.
• Keep up to date backups – Real-time cloud-based backup is best.
• Restrict users’ permissions to install and run software applications.
• Enable strong spam filters to prevent phishing e-mails.
• Keep antivirus software installed and up to date on all computers.
• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.
In addition, the Cybersecurity & Infrastructure Security Agency (CISA) recommends the following good security habits to protect users against the threat of ransomware:
• Improve password security by doing the following:
o Create a strong password. Use a strong password that is unique for each device or account. Longer passwords are more secure.
o Consider using a password manager.
o Use multi-factor authentication, if available.
o Use security questions properly.
• Create unique accounts for each user per device. This precaution reduces the impact of poor choices, such as clicking on phishing e-mails or visiting malicious websites.
Other Articles to Explore
• Choose secure networks. Public networks are not secure, which makes it easy for others to intercept your data.
• Keep all of your personal electronic device software current.
• Be suspicious of unexpected e-mails. Phishing e-mails are currently one of the most prevalent risks to the average user.
Doctors should meet with staff and discuss ransomware. Staff needs to understand the risks. The staff meeting should cover all of the CISA good security habits mentioned above. This information could even be printed directly from the website and reviewed in the meeting.
Get Outside Help
•There are companies, such as KnowBe4, that will test the training of your staff by sending fake phishing e-mails to see how your staff handles them.
• You can get protection from some of the financial fallout from cyberattacks by getting insured. The American Optometric Association offers such insurance.
Peter J. Cass, OD, is a partner in Practice Compliance Solutions, a faculty member for the University of Houston College of Optometry, an associate at MyEyeDr. Beaumont, and past-president of the Texas Optometric Association. To contact: peter@PCScomply.com
