Even more stories are coming out about ransomware, and the health care industry has been hit pretty hard lately.
One such case is from Boardman, Ohio. N.E.O. Urology was hit with ransomware and paid $75,000 in ransom. DataBreaches.net says “that the practice decided to pay the ransom as it was losing $30k- $50k per day that it was unable to access its system.” Essentially, if the health care provider waited too much longer, it would have been more expensive to not pay the ransom. However, the issue with ransomware is that the provider might not receive the decryption key, leaving them out of the $75,000 and not being able to access their records. Another concern is the attacker might try to attack N.E.O. Urology again.
In our very own backyard in Colorado, Estes Park Health suffered a ransomware attack that started locking down files. Thankfully, the IT team was able to take quick steps to help thwart the attack. The Leadership Team made a decision in the past that paid off for them; they purchased cyber insurance just in case of such an event. Unfortunately, enough systems and files were affected that a ransom was paid, but through the insurance company. Software in the clinic was the first to go offline, followed by its digital imaging software, which stores all X-rays and other medical images. The attack wiped out the network and its phone service. It’s unclear how much ransom was actually paid.
In another unfortunate case of ransomware, through Tenx Systems, more than 60 assisted living communities were attacked. The company uses ResiDex Software to run all the facilities. It was discovered that an “authorized” user accessed the system and released a ransomware assault. ResiDex moved the servers to a new hosting provider, thereby avoiding paying on any ransom demands.
These are just a few cases of ransomware in the health care industry. If you do a search for cases of ransomware on health care providers and their business associates, you will find many more. HIPAAgps can help teach your employees how to protect PHI, but to really get a good understanding of your security posture, purchasing a social engineering campaign might give you more information and power to protect your organization.