A healthcare ransomware or cybersecurity breach can be costly — paying an average of $150 for each patient record that you must restore, not including fines …
In May of this year the U.S. Department of State released a press statement offering a reward of up to $10 million for any information that can help identify and/or locate leaders of the Conti ransomware organized crime group — a group which the FBI has identified as being responsible for at least 16 attacks against U.S.-based healthcare and first responder organizations. Healthcare ransomware attacks are up, and putting extra stress on practices to keep up with HIPAA and security protocols.
In this statement, the State Department offered another $5 million for information leading to the arrest or conviction of anyone participating in an incident involving Conti variant ransomware. These high-dollar rewards suggest how damaging this type of cyberattack can be, also serving as a reminder that all healthcare providers can benefit from protecting their businesses from a breach of any kind.
What is Conti ransomware and how does it attack?
The Department of Health and Human Services’ Office of Information Security (OIS) explains that the Conti group encrypts its victim’s online information, first deleting copies and disabling backups so the data cannot be restored by the entity being hit. Then they demand ransom to unencrypt the data, asking for an average of $900,000 per victim but sometimes setting this amount as high as $25 million.
In some cases, the Conti group will attempt to extort the victim in other ways too, such as by threatening to release private information online if their demand is not paid.
The OIS adds that healthcare is one of the top five sectors or industries being targeted with Conti’s healthcare ransomware attacks. And the average amount of time from when a Conti attack is detected, and the damage is repaired (often referred to as “dwell time”), ranges from 1-3 weeks.
Impact of a healthcare ransomware breach
In addition to being hit with ransomware, it’s also important to understand that there are other types of cybersecurity breaches that can be used against your chiropractic or healthcare practice, including malware, viruses, and phishing. All of these can have negative impacts, one of which involves your business operations being significantly disrupted.
For instance, a not-for-profit hospital in New Mexico had to go back to recording information with pen and paper due to a Conti attack because their electronic health record (EHR) systems were down according to the OIS. This makes healthcare staff’s jobs more difficult. The extra time needed to do everything by hand also reduces your ability to maintain your patient load.
Another impact of a cybersecurity breach is that a release of sensitive information can damage your business’s reputation. In the New Mexico breach, data exfiltrated by Conti included private patient information (both medical and personally identifying information, such as identification cards and passports) and private employee information (including information contained on employment applications and information collected during background checks).
When this occurs, it can be harder to find and keep both patients and quality employees. Patients may not want to have their private information stored in your system for fear that it will be breached again. So, the trust relationship starts to erode. The same happens with potential staff. They may not want to work for you out of concern that their private data will be exposed.
Finally, a healthcare ransomware or cybersecurity breach can be costly. Even if you don’t pay a ransom, Palo Alto Networks reports that you will pay an average of $150 for each patient record that you must restore. If you have 200 patient records on file, this equates to $30,000 in costs. There are also costs associated with returning other electronic records to workable form, implementing and updating security software, and — if your system didn’t comply with regulatory requirements when it got hit — you may also have to pay fines.
How to protect your healthcare business from a cyberattack
The U.S. Small Business Administration (SBA) shares that the first step to protecting your business from a cyberattack is to assess your risk. Learn where you are most vulnerable, then take actions to reduce those vulnerabilities, also developing a response plan should a breach occur.
The Cybersecurity & Infrastructure Security Agency offers many resources you can use to help with your assessment.
Other best practices recommended by the SBA include:
- Ensuring that your staff is adequately trained to spot and avoid cybersecurity attacks
- Installing and regularly updating antivirus software
- Securing your network with a firewall and encryption
- Using only strong passwords, and making these passwords different for different accounts
- Implementing multi-factor authentication to add another layer of protection
For additional articles and advice on preventing healthcare ransomware or cyberattacks go to https://www.chiroeco.com/?s=cyberattack.