What is Ransomware? Take These 7 Steps to Protect Your Practice
In this age of electronic protected health information (ePHI), one of the greatest threats to your medical or dental practice is ransomware. Practices are facing this vulnerability more and more frequently. Sure, you’ve heard of ransomware, but do you know what it is and how to protect yourself from it?
Take action to protect your practice and patient information through these 7 steps.
Do you know what to look for in a managed IT service provider?
Download our checklist to learn if you’re making the best choice for your practice.
What is Ransomware?
Ransomware is a type of malicious software that threatens to hold your computer data hostage until you pay a ransom. Ransoms can range from a couple hundred dollars up to thousands of dollars. Ransomware works by infecting your computer and/or network with a virus, usually introduced by the user clicking on a link, attachment, or popup. Once a user clicks on the link or attachment, the virus encrypts the computer’s hard drive, locking the user out of the computer’s files. Paying the ransom does not guarantee that your data will be restored to you. Ransomware has the potential to disrupt a practice’s ability to provide high quality healthcare, damage and expose sensitive data, cause significant financial loss, and harm a practice’s reputation.
How to Protect Your Practice from Ransomware
1. Don’t Click On Anything Suspicious
Let’s face it, we all enjoy surfing the web during our downtime at the office or over lunch. Whether you looking for something fun to do this weekend or searching for the perfect Sunday brunch recipes, it’s easy to get lost and even a little “click happy”. It’s extremely important to be aware of where you are surfing and clicking on the web, especially when doing so from an office computer. Only visit legitimate websites of reputable businesses. Also notice if the URL address matches the link you clicked; it might be a fake website designed to “phish” your information.
Be extra cautious with email. Do not click on any links or download attachments in suspicious-looking emails or emails from unknown senders. If an email comes from someone you don’t know or is not addressed to an actual person, send it straight to the trash. Likewise the message that looks like it’s from someone you know, but the content does not match what that person would normally send you.
Malicious emails often contain typos and grammatical errors, the subject matter may be inappropriate, and they may ask for personal data such as your social security number and birthday. NEVER EVER provide this kind of private information in response to an email. Reputable businesses and government agencies never request personal information this way.
2. Use Protective Software
Your practice management software contains a lot of personal data, which makes using protective software one of the most critical things you should do. However, it’s important that the software you use is right for you and is offering the level of protection that your practice needs. Your technology partner can help you choose appropriate software for your practice.
Users can unintentionally fall victim to websites that have been designed to either elicit confidential information or to automatically download malicious content that seeks to gain control of your environment. It is important that your technology partner offer web threat scanning solutions that can identify and block malicious content from entering your network as a result of innocent web browsing.
Every workstation on your network should contain antivirus and anti-malware software.
If you have antivirus and anti-malware, it doesn’t mean you can forget about it. New viruses are created constantly, so it’s important that you are continuing to keep your software updated. Most programs can be set to update automatically at set intervals. Hackers see outdated protective software as a perfect opportunity to steal your practice’s information.
3. Keep Your Practice Management Software Updated
As mentioned before, it’s important that you have cyber security software in place so that your patients’ information is protected. Another area of weakness hackers look for is a lapse in software updates. When your software vendor issues a new version, updates should be installed. Additionally, it is important to keep your operating systems updated. OS updates often close security gaps. Updating your operating system could save you from an attack.
It is important to work with your technology partner to implement these updates to ensure that they are installed and configured properly on your network.
4. Backup Your Data
Your practice is your data; without it, you could not operate! It’s important to backup and store your data securely. If you do find yourself in the situation where your data is being held for ransom, you want to make sure that you have a current, encrypted backup. Periodically perform a test restoration to ensure that the backup procedure is working properly. Having a good backup will allow you to resume business as usual as quickly as possible.
Encryption makes patient data indecipherable to hackers. There are several software options for encrypting your data. Whichever encryption software you choose, make sure you understand the level of protection you have, and that you have the appropriate level of data security for your practice. Share PHI only with authorized individuals as outlined in your practice’s HIPAA policy. Any PHI transmitted via email must be encrypted.
6. Create a Security Policy For Your Practice
Just as you have policies and procedures for training staff in things like HIPAA and patient communication, you should also have a policy for your staff regarding electronic security. Train your staff to use best practices with your computer data. They should know what to watch out for and what to report. Make them understand why electronic security is so important, and make sure they understand the consequences of non-compliance.
Limit access to protected health information by restricting privileges in your practice software. Allow access only to the information employees need to perform their jobs. Removable backups should be stored securely. If you or a staff member has access to PHI using portable electronic devices, you would have a policy for handling these devices in a secure manner. And beware of public Wi-Fi; hackers love to exploit the lack of security on public Wi-Fi. So don’t even think about checking your practice schedule while you are logged in at the local coffee shop.
7. Be Prepared with a Disaster Recovery Plan
Create and maintain contingency plans that include frequent backups and test restorations, as well as emergency operations. It is important that you are able to provide patient care as soon as possible after a disaster of any kind, in this case a security breach. You will probably take screenshots or photos and file a police report.
The breach notification rule requires that you report a data breach. You would have to notify all of your patients in writing, the local news media, and have your practice listed on the health and human service’s “wall of shame” website. A data breach could be devastating to your practice.
Because we rely very heavily on technology to keep things going in business, and pretty much our entire lives, cybersecurity is one of the most important challenges we face in medical and dental practices today.
A ransomware attack can have an extremely negative impact on your practice. Not only can it hold you back from running your daily operations, but it can put your patients’ personal information at risk. Additionally, your practice could incur compliance fines and a devastating loss of business.
The right level of protection starts with choosing the right managed IT service provider. Download our interactive checklist to help you start your search today
Are you making the most of healthcare technology? Do you know what to look for in a managed IT service provider? Download our checklist to learn if you’re making the best choice for your practice.