Meghan parks her car in the same parking spot she has parked in every day for the last three years. The icy, cold wind blows outside her car as snow falls in thick chunks on her windshield. Tucking her coat tighter around her, she quickly exits the car and makes the three-hundred-foot walk into Jacob Medical Center. Once inside, she shakes off the snow coating her hair and goes about turning on her computer for the day. A few minutes later she sits down with a newly brewed cup of coffee to warm the chill out of her fingers. Checking the day’s schedule, she begins to pull up the medical charts for the day’s patients. An error message blinks across her screen, “file not found.” Frowning, Meghan tries again. The same message flashes irritatingly at her again. “This day is starting off well.” she mutters. She sighs as she restarts the computer. She has nearly finished her coffee by the time the computer boots itself back up again. Going through the steps again, the same error message appears. In frustration, Meghan tries another patient’s chart, but gets the same message.
Meghan’s uneasiness is beginning to build. She begins trying different patient records at random, yet the infuriating “file not found” continues to blink its way through her early Monday morning. Exasperated, Meghan calls their local IT company to come out and check the system. “I think there is a virus on the network,” she tells them over the phone. She proceeds to then cancel all the early appointments, rescheduling them for the next day hoping their system is sorted out by then.
A few hours later, Zach the IT guy arrives and begins diagnosing the system. Meghan waits patiently as he works. A small chat box blinks onto her screen. Curious, Meghan leans in to read the text:
“We have all your data. We will release it to you when you
send 5 million dollars in bitcoin to this account #*******.
You have 24hrs.”
Zach curses and runs his hands over his face. “What does that mean?” Meghan asked curiously. “It’s a joke, right?” Zach shakes his head as he taps the keyboard to no avail. “It looks like your system has been corrupted by Ransomware. We need to contact whoever is financially in charge of your facility,” he said, leaning back and looking tired, even though it was only 8am.
“Okay,” Meghan said. She reaches for the phone but is still confused, “but what does that even mean?” she asked.
Zach looked at her grimly. “It means, if your bosses don’t pay them their money, all of your patients’ medical records could be gone for good.”
A cold chill swept over Meghan, as if the winter storm had finally broken in… Too Close To Home…
Meghan is a fictitious character. However, the story is happening daily across the globe. In not just businesses, but also medical facilities and hospitals. There are many different “Meghans” finding themselves encountering this new horror in unique ways, as doctors, nurses, and even patients. They will wake up one morning and find that their ability to care for, or to be cared for accurately, has been stolen from them in just a short time.
Ransomware attacks toward medical facilities have been increasing every year at an alarming rate. These attacks prevent hospitals’ and medical centers’ abilities to provide care for patients. In many ways, ransomware hackers are just as much of a public health risk as the recent pandemic has been. When medical facilities and hospitals cannot access vital patient records, it leaves patients vulnerable. During the COVID-19 season, cyber criminals seized the opportunity to attack vulnerable medical facilities and hospitals due to the overwhelming burden of the pandemic. Phishing emails and ransomware downloads slipped through unnoticed in many facilities.
Even though these occurrences already took place before COVID-19 began, the increase of attacks in the last year has brought to light the serious gap in cyber security that many medical facilities have. Though law enforcement works to prevent or catch these cyber criminals, the best avenue for prevention is better cyber security for each medical hospital or facility.
In our first blog of this series, we discussed steps to becoming HIPAA compliant. Those first steps are to identify and protect your devices and information that moves throughout your facility. However, defense is much easier to accomplish than the recovery.
Detection.
There is an ever-evolving amount of ransomware and malware circling the cyber-criminal world that is constantly keeping us on our toes. Keeping your systems up to date is required to ensure that any form of malware doesn’t break through and destroy a medical facility’s systems.
Network Expectations.
Once you have an established MSP, you will begin to structure out what expectations should be appearing on your systems. What do daily operations look like? What should and should not be happening on the system? Who should be logging in and who shouldn’t be; and if so, why?
These simple baselines help establish a perimeter of what is normal. That way, if an occurrence takes place outside those routines, however small it may be, it can be quickly investigated.
Events.
If an occurrence is detected outside of what falls under the expectations, it should be fully pursued and investigated to ensure it isn’t a threat. If it is a threat, it must be permanently removed from the system as quickly as possible.
Steps should be taken soon after to ensure that security accesses are newly updated once again.
Impact.
However, if it is discovered that there has been a security impact from the occurrence, then measures must quickly be taken to ensure that any missing or corrupted data is logged and restored (if possible). Persons who have been impacted should be contacted so they can also take steps to ensure their data has not also been corrupted.
Security measures should be immediately taken to reestablish proper protection to ensure no further corruption can be administered.
Monitoring.
On-site and personal activity within the systems must be monitored consistently to detect possible occurrences.
All unexpected connections or unauthorized software installations should be monitored throughout the network.
Accountability.
Accountability will be the most important step in not only ensuring you are HIPAA compliant, but also establishing trust with your clients.
All members of staff must keep their personal and work security as a top priority. Staff members should never give login information to other staff members. Keeping personal logins up to date and being aware of phishing scams that may come through their personal inbox is key to a facility’s security success.
Always Updating.
Creating a structured security schedule will help keep your accesses up to date and secure. Every staff member should be regularly updating their passwords and account accesses every ninety days.
Respond.
What happens when a breach is made or when malware is detected in the system? How do we respond with quick and efficient actions?
Roles.
Ensure you’ve trained your staff for their roles within the process should an occurrence appear on a large or small scale.
Report Events.
Even for a small event, all staff members should know who to report to if something occurs. Having direct communication lines open for team members to communicate effectively during an event or any suspicions of an event.
Overall Impact.
Communicating with team members and clients when serious breaches happen is really important. All those impacted should be made aware and given the appropriate instructions on how to respond.
Improvement.
Once an occurrence has happened, upper management will need to prioritize communication and training.
Once vulnerabilities are discovered within the facilities, new security protocols will need to be established or reestablished among staff. All staff should be kept up to date regarding new security protocols and breach information. An informed staff is the most secure staff.
Moving Forward.
There’s never any easy way to prevent an attack or to detect one. However, when we put the work and sweat into investing into our staff members and clients, we come out stronger on the other side.
As we move forward, how do we protect ourselves? How do we know we are staying within the security boundaries of HIPAA?
As we mentioned in our last HIPAA blog, finding a strong MSP to help you through this journey is extremely important. You want to find a company that spends their time knowing the ins and outs of what hackers will try and how they think. Let’s remember the three vital things an MSP can bring to your facility:
Enhanced Security.
This can look like data backups and recovery plans, should anything go wrong.
24/7 Monitoring.
Have an eye in the sky at all times – monitoring your systems constantly will help detect threats sooner and prevent big catastrophes.
Financial Security.
Ransomware attacks are a common threat that many medical facilities face. Millions of dollars of financial loss can happen due to an attack. Budgeting an MSP into your security will likely save you millions of dollars should you ever face an attempted ransomware attack. In the long run, medical facilities are less likely to face a large payout when using an MSP.
The security a solid MSP company can offer you will be priceless in this world full of cyber criminals. MSP’s are the experts in the technical world we live in today. If you’re looking for help in building a cyber security plan for your medical facility, contact us at DataCom Technologies through our website contact form here!