Today, it’s almost impossible to say the word “malware” without talking about ransomware. It is one of the most common and destructive forms of malware online today. Thieves take over your computer systems and hold your files hostage until you pay the ransom. Even if you decide to pay up, there is no guarantee you’ll get your files back or what condition they’ll be in. Nowhere is this cybercrime easier to see than in the healthcare industry, which continues to endure waves of the attacks.
While only 30 ransomware breaches in healthcare were reported in 2016, the number more than doubled to 64 the following year, according to a study by Protenus and Databreaches.net. The attacks are having a significant impact. Four of the five largest data breaches reported to the Office for Civil Rights (OCR) in 2017 were attributed to ransomware.
The jump in reports may be partially in response to new guidelines published by the OCR in July 2017. The document, released after a rash of attacks, clarified the OCR’s position that ransomware infections that encrypt protected health information (PHI) are presumed a HIPAA violation and must be reported – unless the victim can prove otherwise.
Of course, the jump may also be driven by a genuine increase in ransomware attacks, which was seen across many industries. A 59% increase in ransomware was observed year over year in 2017, according to McAfee Labs’ March 2018 Threat Report.
In study after study, researchers find ransomware to dominate the malware infections found in healthcare. More than 70% of malware-based security incidents involving PHI were attributed to ransomware in a Verizon report. That’s ten-times the number attributed to the second most-common type, RAM scrapers, which were found in just 7% of the incidents.
Examples of Cyber Extortion
Cyber extortion is a growing tend according to the OCR’s Jan. 2018 Cybersecurity Newsletter. The department predicts the threat “will continue to be a major source of disruption for many organizations.”
However, other types of cyber extortion have cropped up. They include the use of distributed denial of service (DDoS) attacks. This is when an attacker will render network systems unreachable to intended users, and then demand payment to end the flood of online traffic. Another type cited in the newsletter is perhaps the simplest of all. It occurs when an attacker steals sensitive data and threatens to publish or sell it unless payment is made.
Many varieties of cyber extortion are likely to emerge in the coming years as malicious outsiders continue looking for new ways to turn malware and hacking skills into profit.
What Can You Do About It?
You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.