COVID-19 Update: Read our messages to employees and clients

February 12, 2019
Fighting Back Against the Ransomware Threat in Health Care
Healthcare, with its troves of valuable patient data, is the No. 1 target. Personal health information is 10 times more valuable than data stolen from other industries on the black market.

Words like hacking and ransomware are probably too benign-sounding when what we’re really talking about is extortion, blackmail and grand larceny. But they’ve become big business and they’re getting bigger.

The bad news is you’re the target. The worse news is that the situation is getting worse.

Not only are these criminals often thousands of miles offshore and virtually untouchable by law enforcement, but they no longer even require sophisticated computer skills. Thanks to “ransomware-as-a-service (RaaS)” providers operating on the dark web, any mildly ambitious miscreant can become a threat. That’s right. For a mere $39, or perhaps a percentage of the profits, just about anyone can get into the crime business.

And not surprisingly, healthcare, with its troves of valuable patient data, is the No. 1 target. In fact, according to Chubb, personal health information is 10 times more valuable than data stolen from other industries on the black market. It’s no wonder that, according to Chubb, 38% of “cyber incidents” in the last 10 years have targeted healthcare, far more than any other sector.

It’s daunting, but you’re not helpless. There are steps you can—or must—take to protect yourself and your organization. The software company Digital Guardian recently asked 44 security professionals and business leaders how best to guard against ransomware attacks. The lengthy list of suggestions and admonitions they provided can be found here. Here are some of the more common and pointed suggestions:

  • Repeatedly educate and train employees. Security awareness training should be given on a regular basis, says Lyle Liberman, of IT security firm Janus Associates. “Studies have shown that the effectiveness of training is long forgotten after 90 days, so it is important to keep reminding your team in short 15-minute sessions of the do’s and don’ts of good cyber hygiene.”

“Most ransomware is delivered by spear phishing,” says Steven Weisman, an expert in scams, identity theft and cybersecurity. “Have an ongoing education program for all employees about how to recognize and avoid spear phishing.”

  • Diligently back up all data and know the related pitfalls. Backup files can also become completely encrypted [by ransomware] if you back up everything and replace the previous backup, says Aviv Raff, of Seculert, an attack detection and analytics platform. “With this in mind, you should do incremental backups (or keep previous versions), and keep the backup in locations with no immediate access (e.g., the cloud).”

“While most businesses think they’re backing up data, many may not be aware how ineffective their backup programs are,” says Adrienne Johnson, an IT veteran. “Since ransomware encrypts data on all attached and mapped drives, including mapped cloud storage and USB flash drives, these must be backed up as well.” Be wary of tape backups, she adds: “While the actual percentage is disputed, it is widely accepted that tape backups have a significant failure rate.”

Always verify the integrity of your backups, adds Greg Kelley, of Vestige, Ltd. “If you are just relying on your backup program to tell you it worked properly, you’re setting yourself up for a big disappointment. The only way to know that you have good backups is to restore some of the data.”

The best defense, says Weisman, “is to back up all of your data each day. In fact, my rule is to have three backup copies, using two different formats with one offsite.”

  • Don’t rely on employee-generated passwords. “The most popular password in the world is 123456”, says Steve Manzuik, of Duo Labs. “Passwords are easily guessed and easily bypassed,” he adds. “Instead, use a password manager that automates the generation of complex passwords and stores them so memorization is no longer an issue.”

Require strong passwords for company databases, agrees Cosette Jarrett, of Keeping track of strong passwords is difficult, she adds, but worthwhile. And PC World offers a guide to help employees securely store them.

Pondurance co-founder Ron Pelletier suggests setting up multifactor authentication systems that require, for example, passwords, fingerprint scans and randomly generated tokens from an application like Google Authenticator.

  • Restrict privileges. “Any given account should have the least amount of privilege required to perform appropriate tasks,” says Jeffery Lauria, of iCorps Technologies. “All users, including IT admin personnel, should log in using a non-privileged account, and escalate privilege as needed using a secondary account… The key to this concept is that malicious software most often runs using the privilege level of the currently logged in user. If that user is an admin, so is the malicious software.”

Ray Walsh, a journalist and blogger, agrees: Staff should be “given the least authority in company systems as is possible,” adding that it’s also advisable to ban staff from going on unnecessary web pages.

To pay or not to pay?

One other piece of advice from the experts: If you still get compromised, don’t pay unless you have absolutely no other choice.

Citing a report from Symantec, John Simek, of Sensei Enterprises, says that fewer than half of those who paid ransoms in 2017 actually got what they were paying for: a working decryption key. “And there’s no toll-free number for customer support,” he adds.

“Do not pay the ransom,” agrees Paul Kubler of Lifars. “The reason criminals keep utilizing this form of blackmailing attacks is that people keep paying.”

Care Navigators
As healthcare business models evolve, so should care teams.

Patients who are paired with Care Navigators report feeling less anxiety, and an increased ability to self-manage their conditions between visits. And providers report increased job satisfaction from improved efficiency, and knowing their patients have access to care teams, and strategic support.

Chronic Care Management
With an increased aging population managing two or more chronic illnesses, extending your care teams’ ability to communicate with patients is critical. We take a strategic approach to helping patients chart a path towards their health goals, while self-managing their chronic conditions between clinical visits.

Artificial Intelligence
Our advanced AI solutions tackle complex documentation challenges to reduce the administrative burden preventing doctors from delivering precision care. We'll guide you through the best practices for incorporating AI into your workflow. Gain visibility into your data with enhanced analytics driven by AI and CTAs.

Nurse Care Team Assistants
Adding a qualified Nurse CTA to the care team increases quality of work-life and reduces stress on nurses. The nursing profession is also experiencing an alarming shortage due to increased clerical burdens and burnout.

Revenue Cycle Management
Transition Revenue Cycle Management into the modern age with a suite of software tools that will transform your billing and coding processes. Transact at lightning speed, with increased transparency and decreased siloes. The QueueLogix software application seamlessly integrates with existing EMRs to ensure the clinical activities and back-office operations are well aligned, monitored and successful.

Referral Management
Referrals scheduled by navigators in the clinical setting builds long term, patient care integrity across the care continuum. With the authority, along with the provider to search for specialists in network, navigators assess their schedules, and ensure appointment compliance.

Scribe Services
There’s a reason why we’re the nation’s most frequently used scribe company: we offer professionally trained in-person and virtual medical scribes to meet the specific needs of our clients. We offer a variety of scribe programs, as well as technology and personnel solutions that address revenue cycle management, the transition to value-based care, and more through our HealthChannels family of companies.