Medford Medical Office Victim of Ransomware

Over the Memorial Day weekend, a Rogue Valley medical office was the victim of a ransomware attack. Patient records and images were compromised. Outside partners seemingly have not been affected or compromised. The substantial cyber security breach did however, involve an organization linked internally.

Despite ongoing investigations from a forensic cyber security team, the number of patients and amount of data affected has yet to be determined.  One of the two facilities affected was still locked out of their systems as of June 6th. This was reported to us by one of their patients. They are taking patients again, but this has caused rerouting patients of to outside offices. We anticipate this will cause a backup and may greatly delay the speed and ability of patients receiving services.

What is ransomware?

Ransomware is a type of malware (malicious software) that is used to take data files hostage and then held for a ransom demand. This type of cyber-attack is often targeted at industries such as Medical and Dental, but it does not discriminate. It is often used in other industries, small business or practices and even on individuals. The demands vary- but for large business and corporations, they can reach into the millions of dollars range.

The outcome of a ransomware attack:

In the medical and dental industries, hackers are after patient files, financial information, imaging etc. Ransomware will render a practice inoperable. This is especially true if the facility or practice does not have immutable backups. Storing unchangeable data backups off site and on a separate network should be adopted by every business (and every IT/Cyber Security company should be facilitating it).

Ransomware attacks come at another crippling cost- hefty fines from violating HIPAA and HiTech laws. In non-medical fields, there are confidentiality rules and compliance regulations (PCI and FINRA for examples) that also result in significant fines for violating. For small business and practices, these types of attacks are doubly devastating: events like data breaches can irrevocably damage a company’s reputation. The loss of trust between consumers and providers becomes damaged, causing even greater loss of revenue. Eventually, their doors close forever. 60% of small business and medical practices close their doors for good within 6 months of a data breach event.

How to protect your business:

The short answer is- you can’t FULLY ensure that your business or practice will NEVER fall into the hands of criminals. You WILL have an attempt at some point. With your cyber security team putting certain precautions in place, and you and your employees following some general rules, you will greatly minimize the risk of a successful attack happening.

Anti-virus is NOT enough.

You used to be able to just install a program on your computer and run regular scans but as technology has become more sophisticated- so have viruses. You need an entire system of cyber security measures in place to keep an attack from sneaking through, and most of these are not things that the average Joe or Jane can manage.

Among these are a properly installed and maintained firewall, immutable and offsite data backups, and constant monitoring for data breaches and insecurities. These are all things that should be handled by a trusted IT Company dedicated to cyber security, and not an individual- whether they do IT or not. We strongly recommend reading our IT Buyer’s Guide to check and see if your current IT measures up. If not, give us a call: 541-494-2099.

Some practice management software (such as Daisy in the dental industry) offers some minimal features that can assist in minimizing risks. But these features are NOT a replacement for having a trusted IT team in place that specializes in Cyber Security and compliance regulations for medical/dental practices and small business alike. We have seen this far too many times- dental offices assuring us that their cyber security needs are being met through this exact PMS. This leaves the practice far too vulnerable to a cyber-attack.

Regularly train your staff on Cyber Security Best Practices.

The #1 way people and businesses are hacked is through phishing emails. Clicking a link or opening an attachment from an unverified source can invite a virus in and wreak havoc. Proper training regular cyber security training can help reduce the likelihood of successful attacks. To sign up for our NO COST cyber security training click HERE.

We also highly recommend periodic testing and analysis.

Penetration testing employs WhiteHat (ethical) hacking techniques. A Cyber Security team attempts to hack you to see where your business is vulnerable  Performing regular dark web scans and security assessments are equally important- and annual risk assessments are a HIPAA requirement.

Counting this most recent attack,has seen a number of cyber-attacks and attempts over the last couple of years. Even learning institutions have been hit, or had attempts through phishing emails sent to student inboxes. Cyber security is an important investment in your business or practice. Skimping on protection to lower costs WILL cost you significantly more in the long run. Compliance regulations will hold you responsible for failure to secure appropriate security measures. The resulting fees will far surpass what the cost of your investment into appropriate cyber security. You might as well have thrown your money in the trash.

Book an appointment with our cyber security experts today. We will discuss an individualized cyber security plan with you and schedule a NO COST Risk Analysis.

More ransomware attacks:

• Government of Curry County
• Sky Lakes Medical Center, Klamath Falls OR
• The Allison Inn & Spa, Newberg OR
• City government of Keizer
• Oregon City government
• American Dental Association