Ransomware is a type of malicious software that hackers use to attempt to generate profit by encrypting files then demanding payment to decrypt them; typically spread through email by tricking a user into opening an attachment or clicking a link to a malicious website. Most ransomware infects systems through “spam, phishing messages, websites and email attachments,” according to the Office of Civil Rights.
Make sure you have a plan and are doing everything you can to protect yourself and your practice from ransomware. If a ransomware attack is suspected, affected dental providers are required to investigate the scope and source of the incident, document their findings and take appropriate action if data is compromised. The Federal Bureau of Investigation (“FBI”) encourages all victims of ransomware attacks to notify their local FBI office or submit a notification through the Bureau’s Internet Crime Complaint Center.
Regarding ransomware and dental practices, prevention (and education and awareness) is the best defense. Take steps and develop strategies to protect your practice because there’s a good chance an attack will occur. The following takeaways can help build a defensive strategy to protect against a ransomware attack.
- Maintain secure backups
Back up your critical data regularly off network. If the backup data is in the same network (or not secured) and a ransomware attack reaches all the systems in your network then the backups get encrypted as well. Having your backups under ransom is as good as not having backups at all.
- Advanced email scanning
Ransomware hackers are crafting new, zero day (brand new) attachments and phishing hacks to get into your systems. Email is the easiest way into your network and is commonly the least secured. Services like MimeCast give robust attachment transcription and more advanced virus and phishing filtering to help protect your end users.
- Create a response plan
Knowing what to do is critical if and when an attack happens. You’ll want to have phone numbers handy, know where those secure backups are and how to get to them so you can recover quickly and efficiently. Ensure that the plan is written down and printed out.
- Staff Training
The most important security measure is end-user training. End users need to know about:
- Email attachment safety. Be suspicious of any attachments and only open if they’ve been screened by a third-party filtering solution.
- Clickable URLs: Never click hyperlinks (URLs) contained in emails. If you feel that the email is legitimate then simply navigate to that location manually in your browser. Phishing emails that contain deceptive web addresses are an easy way to get ransomware into your network.
- Social engineering: Beware of people (physically) interacting with your computer systems, as well as attempting to extract data from you over the phone pretending to be someone they are not. Require identification for anybody working on critical data systems in your office.
There is a lot more information on how to protect your practice from ransomware on the internet – just make sure the sites you’re visiting are credible in nature and not some type of scam themselves. The ADA and U.S. Department of Justice have information on their sites that can give you additional, credible information about online security. Take the time to review this information carefully and protect yourself and your practice. The investment made today could not only prevent your patients’ health information from being illegally disseminated, but it could also save your practice a ton of headaches as well as money down the road.
Steve Godfrey is CIO for Vyne including NEA, Powered by Vyne, where he leads the security and compliance team.