Prepared medical staff key to stopping ransomware

Medical Economics Journal, Medical Economics August 2021, Volume 98, Issue 08

What if your smartest, most trusted employee turned out to be the person who unintentionally sabotages and destroys your practice?

What if your smartest, most trusted employee turned out to be the person who unintentionally sabotages and destroys your practice? This unfortunate turn of events can occur when physicians and medical employees are not trained to prevent stealth attacks by cybercriminals who use fake emails and other tactics to access a company’s data and hold it hostage until ransomware demands are met.

Health care is particularly vulnerable to this type of cybercriminal activity, which shows no signs of slowing down. In recent years, ransomware attacks have frozen patient data in medical facilities from Hollywood to London and around the world.

Because ransomware attacks and data breaches can severely damage the reputation and bottom line of a medical practice, it is critical to develop a cybersavvy staff. To achieve that goal, health care employees must learn to recognize the security risks that can lurk in ordinary activities such as accessing email, viewing social media images or setting passwords. Here are a few approaches to arming employees with the tools they need to defend themselves from hackers.

Simulate scams

Cybercriminals rely heavily on phishing scams using fake email to lure unsuspecting employees to open messages or click on links that serve as pathways for malware to infect computer systems. Once this happens, hackers can lock up a computer network and make ransomware demands or steal sensitive personal health information.

One way to deflect this type of attack is for medical practices to conduct their own simulated email phishing scams to expose employees to common cybercriminal ruses. Arthritis and Rheumatism Associates in Maryland conducted one such exercise and found that approximately 15% of the company’s employees fell for the scam.

Significantly, neither the number of years on staff nor the job title of the employee made a difference in those results; both physicians and nonclinical staff failed the test. In response, administrators required employees to complete a training module to learn how to avoid the problem. To keep pace with constantly evolving cyberthreats, managers can repeat this type of simulation and provide staff members with updates on the latest digital dangers.

Safeguard social media

In addition to spreading ransomware through spearphishing, cybercriminals are also transmitting it through images and graphic files shared on Facebook or LinkedIn. Preventing this type of infiltration requires employees to be vigilant about avoiding infected downloads. First, everyone on staff needs to know that social media websites should be able to display photos or images without the user having to download anything.

If a user clicks on a social media image and the browser starts downloading a file, the file should not be opened. Other images that should not be downloaded or opened have unusual file extension letters such as SVG, JS or HTA and not the common extensions like JPG or TIF. In short, whenever engaging in digital communication, whether through social media or email, no one should download attachments from unknown individuals or sources.

Protect passwords

Passwords are meant to protect sensitive data from those who should not see it. These online gatekeepers are not always effective, however, because they may be too old or too easy for hackers to decipher.

By following a few best practices for creating passwords, employees can strengthen this line of defense and possibly avoid a costly ransomware incident. One effective tactic is to set a password to expire in a certain amount of time, such as 90 days, at which point that password is reset. In addition, a company can create locking accounts that cannot be accessed after five failed password attempts.

Once those attempts have failed, the account cannot be opened and must be reset by IT personnel. Employees can also be trained to create passwords that are complex enough to foil hackers yet easy for staffers to remember. For instance, the first letter from each word in a memorable phrase can be combined with numbers or punctuation marks to create a secure password.

Valuable training

Training health care staffers to avoid hackers’ scams pays enormous dividends by preventing costly ransomware attacks and the potential loss of patients after a data breach. Along with technological firewalls and meaningful security risk assessments, employee training offers a key layer of protection against the ever-growing threats of cybercrime.

Art Gross is president and CEO of HIPAA Secure Now!, which provides risk assessment, training and other security services to medical practices. He can be contacted at artg@hipaasecurenow.com.