Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Cyberextortion – Is Your Patient’s Health Information Protected?

Posted on May 19, 2017 by Jean Eaton in Blog

Alice had a few minutes before the clinic opened and the first patients arrived. She logged onto the computer and then her personal email through a webmail connection. She checked through her messages and opened an email from a supplier. She followed a link to a website looking for a deal on office supplies and was shocked to find pornographic images!

Alice closed the browser and closed her email.

Then she saw the message on the clinic's computer screen, “This operating system has been locked for security reasons. You have browsed illicit material and must pay a fine.”

Alice could not access any of the files on the computer, not even the clinic's electronic medical record (EMR).

Is data the new hostage?

Cyberextortion is a crime involving an attack or threat of attack followed by a demand for money to avert or stop the attack. Cybercriminals have developed ransomware which encrypts the victim's data.¹

A healthcare business has many types of data on the computer network – patient health information, employee personnel records, fee for service billing, accounting and tax information. That information is important to you – and makes it a valuable target for cybercriminals.

The motive for ransomware attacks is monetary, and unlike other types of security exploits, the victim is usually notified that an attack has occurred and is given instructions for how to recover data. Payment for recovery instructions is often demanded in virtual currency (bitcoin) to protect the criminal's identity. (see WhatIs.com for more information)

 

 

How_They_Get_Your_Data_Phishing

 

Here's what you should be doing now to prevent cyberextortion on your computer network.

  1. Know where all your data is kept – your active patient records, archived patient records, billing records, etc. Remember to reclaim data that you may have left behind with previous vendors – transcriptionist, billing agents, remote data, retired EMR vendors, etc.
  2. Collect only the information that you need; not information that might be nice to know or that you might have a use for in the future.
  3. Install or update endpoint security solutions anti-malware and anti-virus software.
  4. Backup your data with secure encryption. Make sure that you have the encryption key and that you know how to use it. Test restore the backup and test the encryption key, too.
  5. Keep your backup separate from your computer network. You might store your backup on encrypted external drives or remote backup. But don't keep your backup device connected to your computer. If you are attacked by ransomware, the backup device can be locked. too.
  6. Is your current back-up device secure? Your backup should be maintained in an area with appropriate physical safeguards – for example, in a locked, secure, filing drawer, safe or data centre in a location separate from the computer network.
  7. Learn how to recognize phishing attacks so that you can prevent cyber attacks, too.

 

Collect_Only_What_You_Need_Cyberextortion

Risk can be mitigated through use of appropriate safeguards that will lessen the likelihood or consequences of the risk. Layers of safeguards – administrative, technical, physical – will help to prevent privacy and security breaches. When both the likelihood of the risk and the risk of harm is high, the more layers of safeguards should be considered to mitigate the risk.

Risk mitigation assessment is part of a privacy impact assessment (PIA). (What is a PIA?)

Review your current security policies and software with your technical support. If you have a small business and don't have in-house technical support, outsource a security review. Update your risk assessment. [clickToTweet tweet=”Don't become a victim of cyberextortion. #PrivacyAwarwe” quote=”Don't become a victim of cyberextortion.”]

 

Have you seen this?

The Office of the Information and Privacy Commissioner (OIPC) of Alberta has released an ‘Advisory for Ransomware'. You can learn more about preventative measures and ransomware response here.

10 Fundamental Cybersecurity Lessons for Beginners, by Jonathan Crowe, Nov 11 2015 to help you get started on improving your security.

See getcybersafe.ca for more information on common internet threats and on how cyber attacks affect businesses.

References 

Search Security Tech Target. cyberextortion definition

 

cyberextortion, health care, healthcare, phishing, Practical Privacy Coach, privacy, ransomware, Safeguards, security

Who Can Authorize Payments in Your Healthcare Practice?

Posted on November 18, 2015 by Jean Eaton in Blog

Can your boss send the bookkeeper or clinic manager an email to authorize payment?

You might want to re-think that.

Read this CBC investigation report, “Ransomware, bogus emails from your ‘boss' mark growing skill of cyber-criminals” to understand the risk to small businesses from targeted phishing attacks.

There are many creative ‘cyber bad guys’ who love to trick you into providing your personal information or use social engineering to trick you to take action – like making a payment to ‘Mr. Smith'. It is essential to train your employees to help them identify an attack and prevent phishing attacks and prevent a privacy breach. If you are breached, learn how to spot and report it.

Set up clear policies in your healthcare practice about authorizing payments to legitimate vendors. Consider having one person responsible to create the cheque and another person to sign the cheque. Don't rely on email to authorize payments, especially to new accounts.

Related Posts:

Is Your Patient’s Health Information Protected from Cyberextortion?
Email Phishing

cyberextortion, healthcare procedures, phishing, security

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

“This was my first ever time I had to work on a PIA and I was a little nervous about doing it efficiently - but you really made it as simple and straight forward as possible. Thank you for being available for my questions when I had them. I would easily recommend Privacy Impact Assessments to Protect Your Practice course for anyone to do their own PIA's! Thank you so much!”

- Karen Sarabura, Clinic Manager and Privacy Officer, CGA Medical Imaging, Alberta

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}