What to Expect if Your Practice Is Hit With a Ransomware Attack
The health care industry, including small- to medium-sized dermatology practices, continues to see an increase in targeted cybersecurity attacks. This is often due to the fact that practices of this size are very likely to pay the demanded ransom in return for the release of their patient data and other private information that is being held hostage and preventing them from operating normally. Many health care practices are using outdated protections for their computer systems and backups, such as only implementing antivirus software, firewalls, and other traditional information technology (IT) resources that are, unfortunately, no longer enough to protect business networks.
There are many ways to help prevent these types of attacks from occurring, including identifying vulnerabilities in the practice’s network through a cybersecurity assessment and training staff to identify threat actors. If a dermatology practice does experience a ransomware attack, swift action must be taken.
What a Ransomware Attack Looks Like
Ransomware is a type of cyberattack that involves malicious software that encrypts most or all files on the network until a sum of money is paid to the hacker. If a hacker accesses a dermatologist’s network through a vulnerability (any device’s IP address, such as those used by laptops, printers, phone systems, security cameras, or smart televisions), no employee will be able to access the systems. There also may be a message from the hacker confirming the attack and demanding a payment in return for the data. Hackers may also threaten to sell or release private practice/patient data if the ransom is not paid.
The recovery process is multifaceted and often involves many different variables, including:
- Legal counsel usually gets involved to handle state and federal compliance regulations.
- A cybersecurity firm will conduct an investigation to understand the depth and scope of the cyber event.
- Forensic data will be captured to help gain a better understanding of how the event occurred and whether patient data was accessed or stolen.
- The hackers will be contacted, typically via the Dark Web, to understand what the ransom demand looks like.
- Once the practice agrees to pay the ransom, a payment in cryptocurrency is made to the hackers to fulfill their extortion demand.
A tool is then provided to the cybersecurity firm to unlock all the encrypted data, after which the hackers will (hopefully) destroy the stolen data. In most cases, the impacted workstations and servers will need to be completely rebuilt from scratch. This multistep recovery process will significantly impact the practice and demonstrates why the time to remediate is substantial. While the cyberattack is being addressed, the practice will be nonoperational for typically between 7 to 10 business days. After the ransom is paid, additional downtime can also occur during the data recovery process.
Steps to Take After a Ransomware Attack
Once a dermatology practice identifies a ransomware attack, it is important to take steps to ensure further data and network safety are not compromised. It is best to immediately contact a professional cybersecurity firm to analyze the attack and provide a detailed report of how the network has been affected. Here are some additional steps a practice can take:
- Unplug all modems and routers that give internet access to the network’s devices. Disconnecting entirely from the internet is paramount, but be sure not to turn off computers that are currently on.
- Identify and secure all backups with critical data, such as those on external hard drives or kept on a cloud network. External hard drives should also be disconnected from devices/the Internet and moved to a secure location.
- Remind all providers and staff members of confidentiality guidelines surrounding the breach and provide them with direction if they are contacted directly by the hackers.
The Role of a Cybersecurity Firm
As previously discussed, a cybersecurity firm can help facilitate data recovery. Once a practice has selected a cybersecurity firm to work with following a ransomware attack, practice management should expect to receive updates on the extent of the breach, including which systems/devices were impacted and where the cyberattack originated. Often, cybersecurity analysts will that find hackers accessed the system through a vulnerability such as an employee unknowingly clicking on a phishing email link disguised as a legitimate website or attachment. The cybersecurity firm should continue to analyze the impact of a ransomware attack until it is resolved. After the attack has been remediated, dermatology practices should work with the cybersecurity firm to establish best practices and next steps to further secure the network and protect it against future attacks.
The Aftermath of a Ransomware Attack
In addition to the loss of business continuity, revenue, and patient trust, it can often take an extended period to recover stolen data following a ransomware attack. Dermatology practices should be proactive in engaging in cybersecurity awareness training and assessments to help minimize the chances of repeat attacks. They should also work with their existing IT resources and establish a relationship with a cybersecurity firm to implement strong vulnerability management, penetration testing, and an independent cybersecurity assessment to ensure the highest level of security.Â
Mr Salman is CEO of Black Talon Security, a Katonah, NY-based company specializing in cybersecurity solutions for small- and medium-sized businesses. He has more than 30 years of experience in information technology and software design. Mr Salman also lectures nationally on cybersecurity topics.
Disclosure: Mr Salman is an employee of Black Talon Security.