An employee opens an e-mail that purports to be from her bank and asks her to click on a link to her account. Instead, the link downloads ransomware, a type of computer virus that restricts access to the infected computer system and demands that the organization pay a ransom to the hackers. Some forms of ransomware, such as CryptoLocker, systematically encrypt files, making them impossible to decrypt without paying the ransom for the encryption key.

CryptoLocker propagates via e-mail attachments. When the attachment is opened, the virus encrypts the hard drive on the local computer and any mounted network drives. The virus then displays a message that offers to decrypt the data if a payment is made by a stated deadline through either bitcoin (see inset) or a prepaid cash voucher.

If the organization has performed frequent system backups, it can typically restore its data with limited loss. However, if backups have not been performed, the ransom must be paid or the organization must reset its system back to its default setting—and lose everything.

Ransoms are typically small enough that the FBI won’t expend its resources to identify and prosecute the hackers, but some ransoms have been in the tens of thousands.

Also, under guidance released in July 2016, the Department of Health and Human Services now presumes that a ransomware attack compromises electronic PHI—unless the HIPAA-covered entity can demonstrate otherwise. The burden of proof rests with the healthcare practice. Small practices without sophisticated systems or firewalls may have to hire a forensic computer firm to demonstrate that a breach did not occur.

To mitigate this risk, your practice should take these steps:

• Small practices should migrate their systems—both software applications and data—to the cloud. Cloud vendors have implemented security measures that most smaller practices won’t be able to implement and maintain. Be sure to fully vet your cloud storage vendor (see page 8 of this guide for strategies on vendor selection).
• If you cannot store data in the cloud, consider working with a computer forensic firm to strengthen your security and investigate capabilities. Ensure that critical systems and business data are backed up hourly, and test that the backup restore process works.
• Provide ongoing security awareness for all employees. Over 80 percent of attacks occur due to human error or human involvement. Train staff members to avoid downloading files, clicking on links, or running unknown USBs on computer systems.
• Block malware by using intelligent firewalls to stop the software execution.
• Install intrusion-detection software to monitor illegal activities on computer networks.
• Stop malware from executing on desktop computers by installing application whitelisting software, anti-virus, or anti-malware.
• Perform penetration testing on a regular basis to determine any existing vulnerabilities that should be patched.
• Install software updates/patches regularly. These include patches that fix vulnerabilities in the software, helping support your antivirus software, your firewall, and all other security measures.

Case Example 1

A medical center suffered a ransomware attack that blocked access to its computer system. The center paid the equivalent of $17,000 in bitcoin to the hackers responsible, deciding that paying the ransom was the best way to restore normal operations. Ten days after the disruption was first noticed, the computer system was functioning again.

Case Example 2

A ransomware attack affected 4 of the 9,800 computers in a hospital’s network, making the information on the computers inaccessible. Because the hospital had saved critical data on servers instead of desktop computers, it avoided paying a ransom and prevented the loss of patient information. The hospital was able to find the virus, isolate it before it spread, and wipe the drives clean on the infected computers

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.