Guest author Roman Diaz, Touchstone Compliance Dec 2015
Imagine this. You arrive at your healthcare practice ready to start the day. Before your first appointment, you turn on your computer expecting to answer a few emails. But instead of the icons that usually dot your desktop, you see something very different: a large, ominous-looking photo of a lock. And next to it, a note telling you all your files have been locked and encrypted.
The encrypted files can only be unlocked by a unique private key that is safely stored on our server till midnight 9/31/2015. If the key is not obtained before that moment is will be destroyed and you will not be able to open your files ever again.
Obtaining your unique private key is easy and can be done by clicking on the payment tab and paying the bitcoin amount specified to the wallet address created for you.
You stare at the screen, realizing your computer hasn't simply been hacked. It's been kidnapped. Virtually. And the personal health information of all your patients — information they and you depend on — is being held hostage.
You are the latest victim of "ransomware," a type of malware that restricts access to the system it infects and demands payment in order for the restriction to be removed. But given the nefarious nature of the perpetrators, there is, of course, no guarantee that even if you pay the demanded amount you'll be able to access your files again.
Ransomware crept on the scene in a major way in 2012 and by 2013 had infected more than a quarter million computers worldwide.
And as security companies work to find ways to outsmart the "computerknappers," ransomware continues to evolve and its creators continue to look for targets that are less-than-prepared for their onslaught.
Targets like the healthcare industry.
1. Alert law enforcement.
2. Turn off your infected computer immediately and disconnect it from the network it's on. This is important because a single infected computer can infect your whole network.
3. Decide whether or not to pay the ransom. Most experts advise against this for two reasons: 1.) There's no guarantee the hackers will release your data once they have your money and 2.) Paying the ransom provides additional incentive for this kind of thing to flourish.
In the first months of 2015, 80% of all calls to Symantec, a company that sells software to defend against such attacks, came from health organizations. Many healthcare organizations have been less-than -vigilant when it comes to HIPAA compliance and protecting the privacy and security of health data. The "bad guys" know this. And that's why they've started focusing their attacks on "easy marks" — like doctors in private practice.
One of the main ways hackers attack is by using sneaky tricks to get a person to download a file or open an attachment. Sometimes they'll send fraudulent emails from places like utility companies or banks. Emails carefully designed to look legitimate. Other times they'll use social media to pose as someone in your contact list. Someone you know and trust. "Check this out!" a friendly message will say, urging you to click a link. And when you do, they're in.
If you find that you've been infected, there are solutions from anti-virus vendors that might — might — be able to penetrate the "armor" of ransomware and retrieve your data. If you're lucky.
But the best defense by far can be found in these three little words: Back. Up. Everything. Make sure you do it every day. And also make sure your backed-up files go onto a separate hard drive that is completely disconnected from you main PC or network.
Backing up your files to the cloud is another option. It provides the same level of protection as daily "in-house" back-up. It's convenient, yes, but the downside is that it's more expensive over time than an external hard drive.
© Darnall Law Office 2015