Ransomware attacks have become a major security concern for many organizations, especially in healthcare. According to a recent report, ransomware attacks on business targets have increased by 195% since the fourth quarter in 2018.
Researchers analyzed the combined statistics and intel collected from January 1, 2019 through March 31, 2019. They found that business detection of ransomware attacks increased by more than 500% from the same time frame as 2018 with 336,634 detections.
Ransomware is a type of malware that infects a computer system and prevents users from accessing their files, either by locking the systems’ screen or by encrypting the users’ files until a ransom is paid.
The healthcare sector is most vulnerable to these cyberthreats due to the value of electronic protected health information (ePHI). On the dark web, a patient’s electronic health record could be worth three times more than other personal information such as financial information, Social Security numbers, or credit card numbers. ePHI is any demographic information that can be used to identify a patient, stored in an electronic format. That includes patient names, addresses, Social Security numbers, financial information, insurance information, telephone numbers, and medical records, to name a few.
According to the annual FBI Internet Crime Complaint Center Internet Crime Report for 2018, healthcare-related crimes–involving health providers, companies, or individuals–saw a total of $4.5 million in losses from 337 victims.
These crimes included fake insurance cards, offers for health insurance market plan assistance, stolen health information, and other false claims. Hackers were able to gather this information by leveraging spam emails, creating internet advertisements, and using fake websites.
It is alarming seeing these numbers, given that another recent study found HIPAA compliance has decreased by 2% in the last year.
Ransomware and HIPAA Compliance
When it comes to healthcare and cybersecurity, there are several important steps that organizations can take to protect themselves from ransomware attacks. One of the most effective things that a healthcare provider can do for their practice is to implement an effective HIPAA compliance solution.
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) mandates a series of national standards that are best for preventing cybersecurity incidents of all kinds to protect patients’ ePHI.
First, employee training is mandatory on cybersecurity protocol and must be given annually. HIPAA mandates that your organization must have policies and procedures in place, and by documenting your organization’s training protocols in these policies, you can demonstrate your good faith effort to the government.
In addition, full off-site back-up is recommended by HIPAA regulation and can help in the event of a data breach or ransomware attack. If the data was encrypted by a hacker, it can be restored via secure off-site back-up and your practice doesn’t risk losing access to important PHI and treatment information.
Full disc encryption helps protect your patients’ ePHI. If your data is encrypted, and is then subjected to a ransomware incident, the hackers will not be able to access it.
HIPAA compliance satisfies the federal regulation, and protects your organization from cybersecurity attacks that can harm your business and your patients.