By Robert McDermott, President/CEO, iCoreConnect
From the Winter 2019 Journal of the Colorado Dental Association
“Ransomware reigns supreme in 2018, as phishing attacks continue to trick employees…A criminal only needs one victim to click on their malicious link or download to gain access to an organization.” TechRepublic1
Malware. We’re calling it the most significant disease that can infect your practice. Let’s start with some simple definitions:
- Malware is quite literally any software that’s operating on your system with malicious intent.
- Ransomware is malware that criminals use to hold your data or system hostage until you pay a ransom. And if you pay, they may or may not release it.
- Phishing comes in different forms. It is most commonly seen when criminals use email to get their malware into your system. This could be as simple as an attached Word document, a malicious link, or even someone posing as IT staff.
So why go to all the trouble? As you might imagine, it all comes down to money. The data sitting at your dental practice turns out to be very valuable to those who operate in a shadow economy—in fact, it’s far more valuable than stolen credit card data.
Consider a retail store that runs hundreds of credit cards per day. When their data is stolen, it is commanding around $8 to $12 per record. But for every health record stolen from your dental practice, criminals can get about $50 on the shadow market.2 So the data in your hands is worth roughly quadruple straight credit card data.
These numbers have led the Health and Human Services Department (HHS) to issue extremely strong warnings:
“Healthcare, in general, is and has been the number one critical infrastructure sector to be targeted by cybercriminals… This virtually ensures any new attack will target healthcare organizations first and foremost.” (HHS Report, April 12, 2018)
Let’s drill down to better understand how a typical ransomware attack might happen. While there are multiple ways, phishing is by far the most common, because it’s the easiest. You only need one person in your practice or Dental Service Organization (DSO), to be tricked by an email that’s pretending to be something it’s not.
Again, this could be as simple as opening an attachment (even something as non-threatening as a PDF) or clicking on a link inside an email that either installs the malware or leads the user to a real-looking site that captures a username and password.
Once a single phishing attempt is successful with just one person in your organization, the malware goes into your system and begins its nefarious work. Sometimes it sits dormant for a while. But sooner or later, it begins collecting information. And sometimes, it begins destroying your backup files.
Regardless, there are usually two options for what happens next:
- The malware sends your data back to the cybercriminal. This includes the actual Protected Health Information (PHI). It may also include additional data that will help the criminals take further control of your system. This could go on perpetually.
- The other popular option is that the malware will lock you out of your entire system and post a ransom message. This can often deny access to any computer in your practice. This is when you have officially entered the category of “ransomware.”
Most typically, you’re asked to pay in Bitcoin, so the funds are not trackable. Bitcoin is an electronic payment system that doesn’t go through a bank or other payment gateway. We’ve seen ransom requests range from hundreds to hundreds-of-thousands of dollars. And we’re also seeing escalating ransoms. If you pay $10,000, they may up the ransom by another $20,000. And of course, this doesn’t even account for the HIPAA violations you’ll have to deal with later.3
So, no matter how you slice it, you don’t want to encounter malware in your practice.
How do you know if you are under a ransomware attack? The HHS list of indicators4 include:
- Users realizing that a link that was clicked on, a file attachment opened, or a website visited may have been malicious in nature.
- An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files).
- An inability to access certain files as the ransomware encrypts, deletes and re-names and/or re- locates data.
- Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution).
Most importantly, how do you prevent an attack from happening? Healthcare Cybersecurity and Communications Integration Center (HCCIC) offers the following advice:5
- Back-up data regularly and use off-site servers for backup and storage.
- Secure your backups, ensuring backups are not connected permanently to the computers and networks they are backing up. Backups are critical in ransomware recovery and response; if infected, a backup may be the best way to recover critical data.
- Restrict access behind firewalls and the number of users who can log in to remote desktop applications.
- Train your staff to assist in detecting malicious software and how to report such detections.
- Conduct an annual vulnerability assessment.
- Use strong/unique usernames and passwords with two-factor authentication (2FA).
- Limit users who can log in using remote desktop.
- Implement an account lockout policy to help thwart brute force attacks (set a maximum number of attempts before locking out the account).
These steps, along with HIPAA-complaint practice management and email exchange systems will help prevent you from becoming the next victim to malware, ransomware or phishing.
iCoreConnect’s HIPAA-compliant email, iCoreExchange, is actually unable to be phished. Additionally, iCoreExchange is encrypted at the highest levels and all data is stored remotely. iCoreExchange has been vetted and endorsed by the CDA.
Robert McDermott is the CEO and President of iCoreConnect. iCoreConnect creates communication and practice management software that allows professionals to share information at the highest levels of security, backed up with real customer service. Contact iCoreConnect at 888-810-7706 or icoreconnect.com.
- www.techrepublic.com/article/ransomware-reigns-supreme-in-2018-as-phishing-attacks-continue-to-trick-employees/
- www.dentistryiq.com/articles/2018/04/prevent-medical-identity-theft-empower-dental-health-care-workers.html
- www.aha.org/system/files/2018-04/corrected-HCCIC-2018-002W-SamSam-Ransomware-Campaign.pdf
- www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
- www.aha.org/system/files/2018-04/corrected-HCCIC-2018-002W-SamSam-Ransomware-Campaign.pdf