Privacy and security series, part 3: Prevent ransomware from holding your organization hostage
For the second year in a row, cyberattacks were the leading cause of data breaches in healthcare, according the Ponemon Institute’s recently released “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.”
Ransomware, malware and denial-of-service (DOS) attacks are the most common and growing cyber threats facing healthcare organizations, according to the study. Protecting your organization from an attack, however, is highly feasible if you pursue a rigorous and consistent program of employee training, testing and IT system updates.
Increase in cyberattacks led by ransomware and DOS
Most ransomware attacks—the hijacking and encrypting of an organization’s data by cybercriminals—are caused by employees clicking a malicious link in an email or opening a file that spreads a malware virus, effectively rendering data inaccessible.
The virus typically includes a ransom message demanding payment, frequently in bitcoins, to unencrypt the computer or server. Cybercriminals are aided by a “dark web” presence, where they can partner with other criminals to execute attacks.
Since data drives safe and effective healthcare decisions, organizations often pay the attackers’ ransom when operations are crippled. Ransomware, however, may also be considered a breach, although not all organizations have been reporting these types of attacks to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
Educate staff and implement safeguards
OCR is currently working on guidance for reacting to and reporting ransomware, but there are three essential steps healthcare organizations should take today to help avoid becoming a victim:
- Education: Employees should be trained about the threat of ransomware—not to click on suspicious links or attempt to access unknown flash drives, and to report suspicious emails.
- Testing: Once a year phishing exercises to test employees’ training are not enough to prevent the next attack. These tests need to be continually repeated at random to drive employee compliance with security policies and procedures.
- Updates: Organizations need to follow recommended IT-management practices, including implementing software patches, anti-virus updates and other software tools immediately as they become available.
At MRO, we seek to mitigate breach risk from all angles, from our Quality Assurance-infused Protected Health Information (PHI) disclosure management workflow to ensuring our staff is properly trained to avoid cyberattacks. Training quality is ensured through MRO Academy, our rigorous and required online educational and testing platform, with the most up-to-date HIPAA regulations and Release of Information (ROI) requirements at the federal, state and facility level. To learn more about MRO’s training and education programs, click here.