Ransomware is Serious Business
Ransomware is serious business and it continues to proliferate throughout the world. In particular, hackers have focused intensely on the Healthcare industry. This is due to several factors, including but not limited to:
- Value: A medical record is worth over 7x that of a credit card number on the black market.
- Availability: Providers particularly have done a poor job of securing their IT infrastructure as they have moved to electronic records. The problem is now the records are potentially available to millions of people with a simple security exploit, versus having to break into a building to access a paper chart.
- Security: As mentioned above, security has consistently been an after thought as providers have implemented EHR without considering the serious security implications and therefore committing the financial resources to the solutions.
- Maturity: The healthcare industry is less mature than other compliance related industries such as banking, finance and government generally in IT and specifically in IT security. The lack of maturity, combined with the other factors leads to a general lack of understanding, awareness and training.
The hackers are keenly aware of these issues, and understand how to exploit the end users who have access to data. They also understand the weaknesses in security and how to both exploit the social backdoors that can then exploit the security backdoors. Some of these include simple items such as users having administrative credentials to their local computers, thus allowing a hacker to fully control and exploit the workstation.
Linked here is a great document put together by OCR on Ransomware. We strongly suggest reading this, and utilizing it for training with your staff, leadership and physicians:
Additionally we cannot stress enough how critical it is to subscribe to our compliance services which include:
- IDS services on firewalls
- Advanced content filtering controls for internet usage
- Outbound data loss/leak prevention for email messaging
- Outbound email "safe transfer" services for email messaging
- Implementation of, and ongoing development of, IT Security Policies and Procedures that comply with the HIPAA HITECH Security Act, and specifically the security rule
- Annual IT Security Risk Assessment process
- Ad-hoc Compliance Consulting Services
New services being added for future clients, and can be added for existing include:
- File integrity monitoring for file servers and access
- Database integrity monitoring for database tables and records
- System event and event log management & monitoring for servers
Contact and talk to your vCIO to understand your services and what you should be doing, if you are not today.