Security

5 Ways to Defend Your Medical Practice Against Ransomware

Fallout from a breach is far more than financial. Providers must consider a range of worst-case scenarios and guard themselves against evolving threats.

Mike Chapple

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Ransomware poses an extreme risk to healthcare systems with lackluster cybersecurity defenses. In April 2019, a small, physician-owned practice in Michigan learned the hard way.

After the organization declined to pay a $6,500 ransom demand, attackers wiped the computer systems clean — destroying all patient records, appointment schedules and financial information. Faced with the monumental task of rebuilding the entire practice from the ground up, the proprietors instead chose to close the business.

Large or small, healthcare providers nationwide find themselves in the crosshairs of ransomware attacks on a regular basis. Although few will shutter as a direct result of an attack, many suffer significant damage that consumes resources and affects care.

The aftermath of a security breach brings operational issues, jeopardizes a provider’s reputation with patients and creates legal issues that may require the involvement of regulatory agencies.

Let’s take a look at five ways that healthcare providers can proactively address this risk to avoid falling victim to a ransomware attack.

MORE ON SECURITY: Download our recent white paper to learn about new threats and solutions.

1. Protect Against the Possibility of Infection

The old medical adage that “an ounce of prevention is worth a pound of cure” applies not only to the health of patients but also to the health of digital information systems.

Modern cybersecurity software provides robust protection against ransomware and many other types of malware that might affect a provider’s computer systems. Installing and maintaining modern anti-virus software is the most important step that providers can take to prevent a devastating ransomware attack.

It only takes a single out-of-date system to serve as the launching point for an attack against a provider’s entire network. Take the time to verify that every system in the organization has anti-virus software installed and is receiving daily updates to protect against the most recent threats.

Better yet, install a centralized monitoring solution that can report systems that fall out of compliance for further investigation.

2. Back Up Your Data Often

The most crippling ransomware attacks have outsized impact because providers lack the technical means to recover their data in the wake of an attack.

Performing regular backups of critical records makes a provider resilient not only against ransomware attacks but also against technical failures, natural disasters and other risks that might damage information systems.

$15 million

Average mitigation cost of a healthcare data breach in the U.S.

Source: Ponemon Institute/IBM Security, 2019 Cost of a Data Breach Report, July 2019

If a provider conducts routine backups, a successful ransomware attack becomes an annoying nuisance instead of an existential threat.

Modern backup technology makes the process as simple as purchasing an account with a cloud backup provider and configuring software to perform regular backups. Backup software incorporates strong encryption to protect files from prying eyes and allows the rapid recovery of patient records in the wake of an attack or human error.

3. Assess Risk on a Regular Basis

Cybersecurity is not a one-time project. While providers may invest significant time and energy in an initial project designed to bring operations up to current best practices, they must also treat security as an ongoing responsibility.

After all, threats evolve and business practices change, introducing new risks and security solutions. Providers should schedule annual risk assessments designed to identify new vulnerabilities and implement controls to address them.

If the provider’s IT staffers have expertise in security, they may conduct these assessments in-house. Consulting firms offering assessment services may also be called on to create a point-in-time snapshot of an organization’s cybersecurity status.

4. Consider the Need for Insurance Coverage

Cybersecurity risk insurance policies offer providers peace of mind that they’re protected against the financial impact of a ransomware attack or other cybersecurity incident. These policies kick in when an organization suffers a breach and provide access to subject matter experts as well as the financial resources necessary to respond to a serious situation.

Providers considering a policy should consult an attorney and carefully read the policy’s detailed provisions.

Watch for exclusions that limit the insurance carrier’s liability in the event that the provider is found to be in breach of HIPAA or other security regulations: Aggressive auditors can almost always discover a compliance failure that might render a policy invalid in the wake of a breach.

5. Create a Robust Response Plan

Every organization should have a cybersecurity incident response plan that outlines the steps that the organization will follow during a security breach.

Comprehensive plans describe procedures for identifying incidents, containing the damage, eradicating the effects of the incident and recovering normal operations.

They should also include after-action procedures that help incorporate the lessons learned during an incident response effort into both the organization’s ongoing cybersecurity program and its response to future incidents.

Providers seeking an incident response starting point should consult the Computer Security Incident Handling Guide from the National Institute of Standards and Technology. This free publication is widely considered the authoritative reference for incident response teams in both the government and the private sector.

Incident response efforts also benefit from the involvement of skilled professionals. Consider engaging an incident response firm in advance so that it is ready to assist in the event of a security breach. CDW offers free incident response retainer agreements to healthcare providers and other organizations.

Ransomware is a serious risk to the ongoing viability of medical practices. An untimely attack can have devastating consequences for an unprepared provider. By following cybersecurity best practices, organizations can reduce the risk of a successful attack and limit the damage if threat actors do strike.

FG Trade/Getty Images