By Stan Shaw, Founder, CTS
A highly-respected physician here in British Columbia recently told me that many clinicians he has spoken to tend to view privacy leaks and unauthorized access as a government or health authority issue. While this may be the case, a threat has emerged that not only has the potential of instantly endangering the confidentiality of personal health information, but also the operation of your clinic, and your bottom line.
The threat is ransomware.
According to Symantec, more than 1600 incidents per day hit Canadian firms in 2015, the last time these statistics were reported. And the threat is growing. Last summer, Solutionary, a large security services firm, reported that ransomware became the single biggest response engagement for the company during the previous quarter, and across industries, 88% of all detected ransomware engagements targeted healthcare.
Some of the most well-publicized healthcare ransomware attacks last year, including an attack in Ottawa, involved hospitals. Indications are that with increasingly sophisticated exploit techniques, hackers are moving towards data-intensive businesses, including medical practices, hospitals, financial services and legal services industries.
It is not difficult to imagine why healthcare data breaches are far more dangerous to victims than other breaches. Even small 1-2 physician medical clinics can host 3,000-6,000 confidential electronic medical records. While privacy risks are serious and could jeopardize your clinic’s compliance to PIPA if breached, ransomware can, in addition, hold computer systems and medical data hostage by encrypting files and locking out access until a ransom is paid. Frequently the ‘hostage note’ will indicate data will be destroyed unless this is done within a given time. The disruption to patient care could be significant. And ransomware software is rapidly evolving. One of the latest variants, Doxware, lets hackers hold computer systems hostage like other ransomware, but takes the attack further by threatening to release personal information publicly unless the ransom is paid.
How many clinics have already been affected in western Canada? We don’t know. It is quite possible that some clinics, like many Canadian businesses, have quietly paid ransoms to get control over their systems. According to one study, Canadian companies are 75% more likely to pay ransoms compared to the US, UK and Germany, and that if they didn’t pay, 82 percent lost files. The cost to pay ransomware extortionists has ranged from $1,000 to $50,000. And it is not uncommon for the same businesses to be hit more than once, by the same hacker or by others.
How can you protect your clinic? The following 10 recommendations are based on suggested actions by Public Safety Canada and others.
The Doctors Technology Office (DTO) at Doctors of BC has a technical bulletin entitled Malware/ Virus Security Risks that may be of help. Further advice can be found on the RCMP website, in advisories by Public Safety Canada (2013and 2016), advisories issued last September by the US-CERT , the FBI , and No More Ransom, a site built through the work of several European police agencies, Kaspersky and Intel.
In the next post in our series of privacy and data security best practices, we will discuss what you can do to reduce risks to your clinic in case of a security breach.