The U.S. government recently issued a warning to the U.S. health care system that it had information about an imminent cybercrime threat to U.S. hospitals and health care providers. Health care providers are urged to take precautions to protect their networks from these threats. The warning includes the potential for ransomware attacks in which the perpetrator demands the provider pay “ransom” for the return of their network and files.
What can you do to protect yourself from being the target of a cybercrime attack? The FBI, together with the Cybersecurity and Infrastructure Security Agency, has a list of best practices to implement. We advise reviewing this document with your IT professionals. Recommendations include regularly changing passwords to network systems and training employees on information security principles and vulnerabilities. Providers should also make sure employees know who to contact when they see suspicious activity or believe they have been the victim of a cyberattack. Other recommendations include:
- Focus on employee awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats – such as ransomware and phishing scams – and how they are delivered. Provide training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Review your crisis response plan and prepare to maintain continuity of operations if attacked.
- Know how to contact federal authorities when phones are down, or email has been wiped.
- Rehearse IT lockdown protocol and process, including practicing backups.
- Ensure backup of medical records, including electronic records, and have a 3-2-1 backup strategy. The rule calls for three copies of all critical data to be retained on at least two different types of media, with at least one of them stored offline.
- Patch operating systems, software, and firmware as soon as manufacturers release updates.
- Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
- Turn off IT where not used.
For more information on how to implement cybersecurity best practices in your practice, attend our Annual Meeting session on cybersecurity on Friday, Nov. 13 at 3:00 pm CT, which is part of our Practice Management in a Changing Landscape program. The AMA and the American Hospital Association (AHA) have also created resources to help physicians guard against cyber threats.