Chat with us, powered by LiveChat

Ramsomware: 3 Ways to Protect Your Organization

News flash: healthcare organizations are being hacked 24/7/365.  Experiencing a ransomware attack, losing control of all data for ransom to a faceless hacker feels similar to having your home burglarized…Violated.

In many cases, targeted hacking is financially motivated to hold data hostage and make payroll.  Hackers target Physicians and Executives identified on websites.   With more user IDs and passwords available on the dark-web today than ever before, being hacked has become significantly more likely than in the past.  We at HIPAA One want to share a few ways we see organizations are vulnerable and get hacked.  Take action after reading this blog to protect your organization from being the next target.  Here are three areas on what to do if you are under a ransomware attack:

Prevent Hacking and Ransomware

  • Training, Training, and more Training: Remind all workforce members about the dangers of email phishing. Even if the organization considers yourself to be the Fort Knox of security one wrong click from a staff member could result in a significant breach.  Here are key ways to avoid falling victim to ransomware via email phishing:
    • Be suspicious of emails and messages especially if the urgently request personal information.
    • Think before you click any links.
    • Regularly update your computer, email and applications.
    • Never share personal information online.
  • IT controls must be working properly TODAY:
    • Enable logging on all your systems (databases, email, file servers, network firewalls, cloud services, etc.) and store those logs for at least 3 months.
    • Enable Multi-Factor authentication to make is even harder for a password to be guessed and an email account to be hacked.
  • Implement all HIGH-RISK remediation plans found in your most recent HIPAA Security Risk Analysis (SRA).
    • HIPAA One tracks HIGH RISKS and provides instructions on what to do for anti-malware, firewall, web-content filtering, inactive users, and service accounts commonly used to access the network.
    • Email reminders to out weekly to those assigned to remediate and update risks the SRA.
  • Conduct periodic Penetration Testing

Recover from Hacking and Ransomware (without paying any ransom)

  • Make sure backups are occurring and stored offline and test a restore procedure to simulate a complete lock-down of all your servers, at least quarterly.
  • Physically separate backup files from the servers and network to avoid having backups also encrypted by ransomware.

Know What to do During a Hacking Attack and Ransomware

  • Have a plan in the event of a hacker-attack, ransomware attack or any other security incident:
    • Here is an example of procedure to follow should you have a security incident (Security Incident Response Plan workflow).
    • Disconnect servers from the network, do not turn off.  Contact a forensics firm (HIPAA One does this).  We will download the memory of the servers and see if we can locate the decryption key and save the day (it happens!).

If security is not top of mind for all organizations, it should be.   Taking no action given enough time will guarantee your organization will experience a hacking incident.  We hope this blog provides resources to help prepare against a breach.

Questions?  Comments?  Please contact us to get secure and compliant today (and if you are under attack).  Also, feel free to post below your ransomware or hacking experiences below!

A Balance of Trust: New Guidelines for Business Associates Under HIPAA

3D illustration of an embossed stamp with the text trusted partner

The relationship between a covered entity and business associate requires a delicate balance of trust. This balance of trust works because each is invested in the security and protection of personal health information. As a covered entity, it is … [Continue reading]

Don’t Get Caught! Five Ways to Avoid a Phishing Scam

Bobby Seegmiller Blog Image - Phishing

I love to spend time with my family. Some of our favorite outdoor activities include skiing and mountain biking. Unfortunately, this time of year it is hard to do either activity because the snow is too slushy to ski and the canyon trails are too … [Continue reading]

Am I A Business Associate Under HIPAA? Why Should I Care?

Am I A Business Associate

Back in 2013, when Edward Snowden was in Hong Kong revealing he leaked documents detailing mass-surveillance programs by the U.S. government, the Department of Health and Human Services (HHS) was creating the Final Omnibus Rule. This rule extended … [Continue reading]

HIPAA Compliance for Microsoft Office 365

Organizations in every industry are upgrading to Microsoft Office 365 to improve security. A common concern among healthcare professionals is that using Office 365 and Microsoft Teams exposes an organization to HIPAA violations. If Office 365 is … [Continue reading]

HHS SRA Tool Version 3.0 – The Good, Bad and Ugly

Good Bad Ugly Blog Image

Earlier this month, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT). We have been following the development of this toolkit since … [Continue reading]

Cloud Email Phishing Attacks: A Practical Guide

Email Phishing Blog Image Ed

Attention CIOs, CISOs and IT Administrators! A quick review of the HHS Breaches Over 500 list paints a pretty grim picture of the number of breaches affecting 500 or more individuals. Breaches have been steadily increasing and the culprit is … [Continue reading]

State Departments Conducting Audits?!?

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits … [Continue reading]

Healthcare Continues to Dominate Breach Related Costs

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records. Across the … [Continue reading]

Similar but Different: Gap Assessment vs Risk Analysis

If you've heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how … [Continue reading]