Alice had a few minutes before the clinic opened and the first patients arrived. She logged onto the computer and then her personal email through a webmail connection. She checked through her messages and opened an email from a supplier. She followed a link to a website looking for a deal on office supplies and was shocked to find pornographic images!
Alice closed the browser and closed her email.
Then she saw the message on the clinic's computer screen, “This operating system has been locked for security reasons. You have browsed illicit material and must pay a fine.”
Alice could not access any of the files on the computer, not even the clinic's electronic medical record (EMR).
Is data the new hostage?
Cyberextortion is a crime involving an attack or threat of attack followed by a demand for money to avert or stop the attack. Cybercriminals have developed ransomware which encrypts the victim's data.¹
A healthcare business has many types of data on the computer network – patient health information, employee personnel records, fee for service billing, accounting and tax information. That information is important to you – and makes it a valuable target for cybercriminals.
The motive for ransomware attacks is monetary, and unlike other types of security exploits, the victim is usually notified that an attack has occurred and is given instructions for how to recover data. Payment for recovery instructions is often demanded in virtual currency (bitcoin) to protect the criminal's identity. (see WhatIs.com for more information)
Here's what you should be doing now to prevent cyberextortion on your computer network.
- Know where all your data is kept – your active patient records, archived patient records, billing records, etc. Remember to reclaim data that you may have left behind with previous vendors – transcriptionist, billing agents, remote data, retired EMR vendors, etc.
- Collect only the information that you need; not information that might be nice to know or that you might have a use for in the future.
- Install or update endpoint security solutions anti-malware and anti-virus software.
- Backup your data with secure encryption. Make sure that you have the encryption key and that you know how to use it. Test restore the backup and test the encryption key, too.
- Keep your backup separate from your computer network. You might store your backup on encrypted external drives or remote backup. But don't keep your backup device connected to your computer. If you are attacked by ransomware, the backup device can be locked. too.
- Is your current back-up device secure? Your backup should be maintained in an area with appropriate physical safeguards – for example, in a locked, secure, filing drawer, safe or data centre in a location separate from the computer network.
- Learn how to recognize phishing attacks so that you can prevent cyber attacks, too.
Risk can be mitigated through use of appropriate safeguards that will lessen the likelihood or consequences of the risk. Layers of safeguards – administrative, technical, physical – will help to prevent privacy and security breaches. When both the likelihood of the risk and the risk of harm is high, the more layers of safeguards should be considered to mitigate the risk.
Risk mitigation assessment is part of a privacy impact assessment (PIA). (What is a PIA?)
Review your current security policies and software with your technical support. If you have a small business and don't have in-house technical support, outsource a security review. Update your risk assessment.Don't become a victim of cyberextortion.Click To Tweet
Have you seen this?
The Office of the Information and Privacy Commissioner (OIPC) of Alberta has released an ‘Advisory for Ransomware'. You can learn more about preventative measures and ransomware response here.
10 Fundamental Cybersecurity Lessons for Beginners, by Jonathan Crowe, Nov 11 2015 to help you get started on improving your security.
See getcybersafe.ca for more information on common internet threats and on how cyber attacks affect businesses.
Search Security Tech Target. cyberextortion definition