HIPAA TIP: Ransomware

Ransomware is a form of malware designed to encrypt files on a device, rendering files and the systems that rely on them unusable. The attacker then demands a ransom from the victim to restore access to the data once payment is made. The attacker will send instructions on how to pay the fee in order to restore the encrypted data through a decryption key supplied by the ransomware attacker once payment is received.

Does your organization pay the ransom? It truly is a million dollar question.

The FBI does not recommend paying a ransomware demand. “This is because it doesn’t guarantee you will get your systems back online or your data back, and it incentivizes threat actors to continue to target companies”, according to William J. Roberts co-chair of Day Pitney LLP’s Cybersecurity and Data Protection Practice Group. There is also NO guarantee that the encrypted data has not already been used or sold to other threat actors for additional profits.

In any size organization there are steps that can be taken to stay ahead of ransomware attacks:

· Maintain backups of all critical data onsite and offsite, even two or more offsite locations. Routinely test backups for efficacy.

· Review port settings for Firewalls and ensure only necessary ports are open; consider limiting connections to only trusted hosts; and implement multi-factor authentication for anyone connecting from outside the business environment.

· Keep systems up to date. Apply the latest updates and security patches to all of the organization’s systems and applications. Never continue using end-of-life devices that are connected to the network – this is a recipe for disaster.

· Train your team. Security awareness training can teach members what to look for and how to spot malicious emails that trick users into clicking on links or opening attachments.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.