According to SecurityScorecard, more than 50% of all organizations have a network security score of “C” or lower. And Penomon Institute reports that “in the last two years, 91% of healthcare organizations have had at least one data breach involving the loss/theft of patient data.”
While a partial ransome recovery happened in 2021 when the Colonial Pipeline was compromised, it is unlikely for the FBI to investigate on behalf of small medical practices or physician’s groups, so training your staff to use digital hygiene is crucial.
The Center for Internet Security maintains best practices benchmarks for network and device security, and reminds users of both that secure systems are only as secure as each individual device on the network. A few straightforward steps will help your organization’s security posture:
- Close unused and unsecure ports
- Remove unneeded software
- Apply and maintain all third-party updates
- Configure devices to meet industry best practices for security
We all wish there were straightforward protocols or instructions on how to respond to cyber and ransomware attacks. It turns out that each case is unique to the organization targeted. However, what we can depend on is that these hazards are here to stay, and all entities and groups do need to have a response plan in place for when the breach comes. The American Health Law Association recommends that plans include these three core components:
- Preventive: keep educating employees about the fundamental ways in which digital systems become compromised, particularly how the vast majority of compromises involve basic gullibility and human error.
- Operational: by maintaining a robust system of backups, redundancies, and data segmentation, entities can substantially reduce the impact on their systems.
- Strategic: to pay or not to pay, that is the question. If the entity anticipates a willingness to pay, it should consider such variables as its payout limit, how it will assemble the funds, and whether anyone in the organization has cryptocurrency experience. If the entity plans not to pay, it should consider its strategies and alternatives to operating without the original data, what kind of messaging it will provide to patients and business partners while its systems are compromised, and its public image management if the ransomware attack blows up in the traditional or social media.
Healthcare facilities, physician groups, and hospitals are uniquely vulnerable to cyber attacks. Electrosurgical units, anesthesia machines, defibrillators, patient monitors, or EMR systems could all be networked devices – consider the potential of their functionality being held ransom. Developing a plan for temporary operation and crisis management in the event of a compromised network is fundamental to supporting both healthcare providers and patients.
For guidance on navigating cybersecurity issues and other healthcare law matters, contact us.