Ransomware continues to impact the dental community. We have seen the types of attacks escalate from individual practices to attacks through the providers of IT services. In most cases, these attacks are for extortion purposes. However, hackers are getting frustrated with the failure of these attacks to result in income for them. This is causing them to up their attacks.
Recently, several companies were attacked and did not pay the ransom for various reasons. They thought they were in the clear. However, the hackers created a website with a "list" of all the companies that failed to pay. The list also contained several files from Microsoft Office, including Word files and PDF files. This makes the incident a "data breach."
A breach under the Health Insurance Privacy and Portability Act Omnibus Rule of 2013 means the acquisition, access use, or disclosure of protected health information in a manner which compromises the security or privacy of the protected health information. Practices are required to conduct a forensic investigation to determine if any information was "viewed or exfiltrated," the probability that data were compromised which could impact the security or privacy of their patients, and how the attack occurred and what processes were involved. Most importantly, the investigation must identify if information was viewed or, even worse, taken.
The fact that attacks may result in documents containing protected health information showing up on a hacker's websites means that practices need to be proactive in their response to these attacks. The time to plan for this type of event is now. Planning ahead of time can minimize the impact that these attacks can have to the financial stability of the practice and their reputation.
So what steps can a practice take now to prepare?
Every practice should have a written plan to respond to a cyberattack as well as other potential disasters that could impact a practice. This plan should detail how to respond and, most importantly, how to recover from a disaster, including a cyberattack.
Conduct a risk analysis, which can identify potential risks that could adversely impact the practice.
All team members need security awareness training on your practice's security policies. Teams should be educated on how phishing emails, spam, and other potentially malicious software can result in an incident. Teams should also be trained on how to respond to an incident.
Use multifactor authentication, especially on email accounts and MS Office, restrictions on user privileges, patching applications and operating system, whitelist applications and devices, and monitoring of all network activity.
Also, back up, back up, back up.
When a cyber incident occurs, it is important not to panic but rather to refer to your disaster plan. Be prepared for the possibility that you may not be able to get assistance from your IT partner. Create a response team. Navigating through a ransomware attack can be emotionally straining. Having a plan to quickly respond is critical and enables a faster recovery time and reduces stress.
Ransomware attacks will continue, and hackers have shown they are stepping up their game. This means practices must step up theirs to stay off the hacker's list.
Debi Carr is the CEO of DK Carr & Associates, a technology, compliance, and security consulting firm. She is a consultant and speaker and has more than 30 years of experience in technology and security.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.