Healthcare Is the #1 Ransomware

By Dr. John Flucke

 

If you’ve followed the news for the past two years, you’ve heard the term over and over again: Ransomware. As infections from the pandemic have receded, infections from ransomware have increased. Whether it’s due to the tremendous number of employees working from home or just a coincidence, the number of ransomware infections in businesses has increased exponentially. Even prior to COVID-19, ransomware infections were on the rise, but now they seem to be everywhere.

In the last six months, we have seen ransomware attacks on thousands of companies that have paid tens of millions of dollars in ransom. Healthcare has grown to the number one ransomware target and this problem is one that I feel obligated to warn my peers about. Although it did not initiate a major news response in the U.S., the state healthcare system of Ireland was attacked on May 14th and knocked offline for a significant amount of time and is still recovering.

U.S. healthcare providers have been doubly hit as the federal government has stated that a ransomware data breach is considered a reportable data breach, which might create a massive HIPAA violation with fines and legal liabilities. A data breach can be a catastrophic event for a dental practice. Paying the ransom does not guarantee that the files totally decrypt. Stories abound of people paying ransom who are still left with massive data loss.

A private dental practice cannot afford to lose all their data, close for weeks and expect to survive. In most cases, the criminals are lurking in the network for days or weeks before triggering the encryption. This time allows them to place the encryption software on removable drives connected to the network, so even a good backup stored at the doctor’s home is sometimes not adequate protection.

How Do You Prepare for a Ransomware Attack?

Plain and simple, the days of trusting your backup procedures to a non-IT professional are over, and in fact, my advice is to trust your backup procedures to an IT professional whose specialty is backups. Like healthcare, IT is now divided into subspecialities with experts in different disciplines.

These experts know the hardware firewall (a must) and antivirus software (another must) that will best fit your practice and your network. The other critical piece is a HIPAA Risk Assessment. This assessment is not only a requirement under HIPAA laws but will point out weak spots in your infrastructure and network settings. A good backup vendor will be able to provide all these things.

I look upon the expenditures in this area of business operations as insurance. Protecting your data is no longer a “good idea,” it’s required by law. The money you spend for protection is money well spent. The amount spent for security is tiny compared to revenue lost and money paid to recover from a breach. While no system can completely eliminate risk, having a well thought out and implemented IT security plan can make it much more difficult for someone to get inside your network.

 

---

---