In the first quarter alone, cyber-criminals collected $209 million—pacing ransomware to be a $1 billion a year crime. With half of U.S. companies being hacked this year alone, these payouts are only going to increase.
CEO of MacPractice, Mark Hollis, believes the problem with ransomware is that businesses are too focused on the measures to take after being hit, rather than focusing on preventing these incidents altogether. Mark suggests that even the smallest adjustments, such as educating staff members, will help to avoid these costly hackings.
He offers 5 preventive tactics to utilize to avoid being attacked by ransomware:
Avoid Windows. Ransomware software for Windows has infected millions of PCs. No doctor’s office using macOS native practice management or macOS native EHR software has had its data held ransom by ransomware. IBM has introduced 100,000 Macs to its employees and has found that PCs are 3X the cost to manage and require 2X the support and that Macs save $535 for every computer. 73% of IBM employees want their next computer to be a Mac. On their Macs, IBM relies upon macOS built-in, native Gatekeeper to prevent ransomware and built-in, native XProtect to defeat viruses.
Limit data exposure to the Internet. The Internet is the primary source of malware including ransomware. Reducing the number of computers and the hours they are connected to the Internet reduces the risk of infection. Limit Internet access to those employees who require it for their jobs. With ‘on premise’ software, you can limit or even entirely eliminate your non-dedicated or dedicated server’s access to the Internet and the hacker’s access to your patients’ data.
Limit use of browsers and remote servers (‘the cloud’). Major cloud vendors have been and are being hacked including Facebook, Linkedin, Yahoo and Google, to name just a few. They can’t protect themselves or their millions of users. Browsers themselves, which are required to access data in server farms, ‘the cloud’, are rife with vulnerabilities introduced by poorly maintained open source code, like the Heartbleed bug in SSL/TLS, and even by commercial products, like Adobe’s Flash, used by many health care software developers. Stay away if you can.
Ban personal email and use of browsers on office computers. Train your staff to recognize phishing, to avoid being suckered into clicking on the wrong website or opening one of hundreds of incessant, suspicious emails…but realize that training to outsmart professional cybercriminals may not work. Removing the source of temptation from your employees to the best of your ability definitely works.
Privatize your network. Make sure your office network is sufficiently protected with passwords and otherwise from access by any untrusted devices. Most of your patients have access to the Internet via their phone’s cellular connection. Consider not offering Wi-Fi to your patients or employees. Simpler to manage (lower IT cost) and less risk.
Use practice management and EHR that contains all ePHI and encrypts your data at rest (HIPAA requires that you encrypt data at rest and in motion and that your database password be unique and encrypted). This won’t stop ransomware, but it will prevent the hacker from acquiring your patients’ data to extort a ransom fee from or to sell on the dark net. Encryption can qualify you for HIPAA Safe Harbor exempting you from the requirement to report a breach. An encrypted external, disconnected backup is the only source you can truly trust to restore from.