The recent spate of healthcare provider ransomware cyberattacks has prompted federal agencies to alert the healthcare sector about precautions and also provide recommendations on how to handle.
Many of these cyberattack origins appear to be in nation-states like China, Russia, and Eastern European countries. The FBI has issued recommendations about ransomware cyberattacks, and “encourages healthcare entities and business associates not to pay the ransom, as this does not guarantee files will be released. Any instances of cyber fraud should be reported to the FBI.” They provide this info for reporting:
- United States Computer Emergency Readiness Team (US-CERT): https://www.us-cert.gov/ – (Ransomware remediation)
- Federal Bureau of Investigation (FBI): https://www.fbi.gov/scams-safety/fraud/internet_fraud – (Report internet fraud)
The scary thing about this new string of cyberattacks and the exploited cybersecurity weaknesses is that the potential exists for them to not only affect general system networks, but also patient care systems that the entity relies on, like medication timing or life-saving medical devices.
Now is an excellent time to re-visit all privacy and security best practices and update workforce training, plus re-familiarize yourself with some basics:
- Update your company privacy and security training to include information about ransomware attacks. Run through interactive awareness scenarios so the seriousness of the risk sinks in!
- Alert employees to risks of email and text scams and phishing; attachments and links are sneaky malware carriers.
- Be very careful when browsing the internet, particularly when using work-related technology.
- Make sure all of your sensitive and critical data is backed up, preferably nightly, your backup media is stored securely offsite and your backup media is encrypted.
- Test your security incident response plan to make sure you can rapidly respond to a phishing exploit or a ransomware infection.
- Be sure anti-malware software, security patches and protocols are up to date on all devices, from desktops to mobile devices.
- Encrypt personal mobile devices used for healthcare apps, communication, etc. and be sure remote wipe is set up and active in case the device is lost or stolen.
For more smartphone security best practices, visit the United States Computer Emergency Readiness Team (US-CERT):https://www.us-cert.gov/
Source: OCR-Security-List listserv, OCR Cyber-Awareness Monthly Update, March 31, 2016.
Chris Apgar, CISSP, CEO, is a frequent educator and panelist for OMA, HCCA and other industry-leading organizations. Chris is also available as an expert witness and columnist. Apgar and Associates can help you with questions and concerns about your privacy and security compliance program at 877-376-1981. Apgar and Associates is also the home of the compliance consulting subscription program for qualifying organizations.
