You know what it means for someone to hold someone or something for ransom. If you’re like me, that sentence alone scares you. It means someone or something is being detained until you turn over money to get it back. Terrifying; but it’s a reality that some have experienced. And it can affect companies, too, not just individuals.

Did you know your PHI can be held ransom?

Ransomware is a malicious software created to block access to a computer or system until money is paid, and providers need to prepare for it. The hope is that it never happens to you, but creating a plan in case it does keeps you safe, not sorry. (According to HealthcareIT News, as many as 75% of U.S. hospitals could have been hit with ransomware in the last year!) Today, providers house thousands, and in some cases millions, of individuals’ PHI on company laptops. So preparing for ransomware starts with educating employees.

Schoolhouse rock

Create a song, send an email, post on your intranet – no matter how you educate employees about the threat of ransomware, ensure that every single employee knows what to do in the event that you face an attack.

One effective way to do this is to send a mock phishing email to test your employees. Do they respond to the email? Send it on to security? Click a link? These behaviors will help you discover what you need to address with employees, or if your efforts to educate them have been 100% successful.

Backup everything

This rule applies to everything important stored on a computer. You wouldn’t want to lose the pictures of your newborn or the videos from your childhood stored on your computer, and the same applies to companies with sensitive PHI and critical applications. Our tip: back up your media, encrypt it, and store it offline so that it isn’t accessible from the internet. The farther the data from unauthorized personnel, the better.

Create a plan

Once all your data is backed up and your employees are informed, create and communicate a plan for how any and all employees should handle a ransomware attack. For starters, the FBI suggests healthcare organizations do not pay ransom until they contact law enforcement and begin working together on the case. Another tip: an alternate location should be on standby for all employees to switch to so that business can remain while the ransomware attack investigation is underway. Finally, critical assets such as EHRs and other applications should be identified, along with the appropriate steps to take following an attack, so that vendors can replace servers and other assets to rebuild the network and remove the malicious ransomware.

Revisit and revise

Revisit your plan, communications, and backed-up data periodically and revise accordingly. As new employees enter the organization, ensure they understand what to do if an attack occurs. Do all this and you will… you guessed it… stay vigilant!

Like this post? Check these out:


Recent articles in the news:

Ransomware a Growing Threat to Providers
More than half of hospitals hit with ransomware in last 12 months