e-mail Print Share

Protect your office from ransomware

July 18, 2016

By Jennifer Garvin

Washington — Is your office protected from ransomware?

Ransomware, a rapidly growing form of cyber attack, is a type of malicious software that encrypts a user's data and holds it for ransom. It can affect any computer device. Most ransomware infects systems through "spam, phishing messages, websites and email attachments," according to the Office of Civil Rights.

Health providers may find themselves particularly at risk as several health care organizations have recently "fallen victim to ransomware," according to Sylvia Burwell, secretary, U.S. Department of Health and Human Services, in a letter to the nation's health care executives.

"Cybersecurity is one of the most important challenges we face as a nation," said Sec. Burwell, noting that ransomware has the potential to disrupt a provider's ability to provide health services, inflict significant financial losses, damage sensitive data and expose it to a breach. It can also harm a provider's reputation.

"Unlike many cyber threats (e.g., stolen data and compromised health information) ransomware is immediately disruptive to day-to-day business functions and, therefore, your ability to provide high quality health care," Sec. Burwell said.

If you think you are the victim of a ransomware attack, Sec. Burwell urges you to contact a local FBI or Secret Service field office.

To help health care entities better understand and respond to the threat of ransomware, the Office for Civil Rights has created Health Insurance Portability and Accountability Act guidance on ransomware.

The guidance recommends that offices conduct risk analyses to "identify threats and vulnerabilities to electronic protected health information" and also urges offices to:

  • Implement procedures to safeguard against malicious software.
  • Train users to detect malicious software and how to report it.
  • Limit access to electronic protected health information.
  • Create and maintain contingency plans that include disaster recovery, emergency operations, frequent data backups and test restorations.
The new guidance is available from the OCR here.