Blog

5 Simple Ways to Protect Your Practice from Ransomware Attacks

November 10, 2020

Ransomware attacks on hospitals are not uncommon. A 2020 report by IBM titled “Security: Cost of Data Breach,” showed that healthcare companies have fallen victim to the largest security breaches on record for the past six years running. Why? Because hospital ransomware attacks can be profitable for criminals.

Patient data is of the most sensitive nature. And, if you don’t know how to protect from ransomware attacks, this data is easy to steal, resulting in potentially fatal consequences. For this reason, we have put together our top 5 no-sweat ways to protect your hospital or medical practice from ransomware attacks.

What are ransomware attacks?

First and foremost, it is crucial that you understand what hospital ransomware attacks are. This way, you are better equipped to follow our easy-peasy tips on how to protect from these ransomware attacks.

Put simply, a ransomware attack is a form of cyberattack that aims to take control of your computer and either block access to files or encrypt data. This is done silently and without your noticing until you try to access a file or log into a program, at which point, a “ransom note” will pop up. This note is typically a threat that demands payment in exchange for the release of your files so that you can regain control of them. Essentially, at this stage, you are being held to ransom.

There are two main types of hospital ransomware attacks—“crypto” attacks and “locker” attacks. Crypto attacks encrypt your data and files and make it impossible for you to access them, while locker ransomware attacks will stop you from being able to use your computer altogether. In some cases, with every click of the mouse, you’ll receive another menacing pop up.

These attacks can be dangerous in any setting—especially in the realm of healthcare, as the data that is handled in hospitals and other practices is so sensitive. However, now that you know what hospital ransomware attacks are, you can begin implementing the following practices to avoid them:

1. Update your computer and back up your files.

Vulnerable applications and operating systems are the targets of most ransomware attacks. So, if your computer signals that it needs to update something, don’t hit snooze. Instead, have a coffee break and let your computer update itself when it needs to. Make sure you also regularly back up your data to a removable drive or the cloud.

2. Teach your employees about phishing emails.

Some links can look harmless, especially if they’ve been sent to you from a source you trust. However, criminals are crafty and often make malicious links look almost identical to legitimate site links. In some cases, just one letter alteration can send you off to a completely different domain that then infects your computer. Train your employees to check that links are authentic before clicking on them. If in doubt, use Google to search for the site rather than clicking a link directly.

3. Open email attachments cautiously.

Compressed files (or ZIP files) are typically the main vehicles for virus infections. If you have received a file of this type or similar, check that you are expecting to receive it and that it has come from a trusted source before opening it or downloading it to your device.

4. Keep your personal data safe.

It is vitally important that you hold personal data close and keep it protected. Most often, you can do this by regularly changing passwords and avoiding sharing too much information on social media. In addition, however, you should always check a website’s security before entering any personal data into it. Legitimate sites should have a visible privacy policy that offers basic information on how your data is being used and what (if any) third parties can see it. Depending on which browser you’re using, you should also be able to see a small lock symbol either in the URL bar or in a corner of the website page. This tells you that the website is secure and encrypted (for more information on this, check out the CISA’s guide to protecting your privacy).

5. Invest in a ransomware attack data recovery plan.

Ransomware attacks are silent and can spread rapidly. This is why it’s crucial to have a disaster recovery backup plan in place even before you suspect a ransomware attack; this way, your compromised data is more likely to be recoverable. It’s also a good idea to have regular drills to make sure the disaster recovery plan can be implemented immediately at the first hint of a ransomware attack.

Why is it so important to fight against ransomware attacks?

Simply put, ransomware attacks can have terrible consequences for both patients and the hospitals they visit. Not knowing how to protect from ransomware attacks could put a hospital into downtime for a very long period. The year 2019 alone saw a 750% increase in ransomware attacks, with trillions paid out to criminals who hijack data.

With COVID-19 now causing disruption to hospitals across the world, 2020-2021 will offer prime opportunities for criminals to steal vital data. So, as patients put their trust in hospitals for their data to be kept safe, it is, therefore, the hospitals’ responsibility to take proactive steps; it is their responsibility to ensure that all data is protected and that a ransomware attack data recovery plan can save this data, should an attack take place. Remember, ransomware attacks can cause financial implications for your business, but more importantly, they can put your already vulnerable patients at further risk.

Scale Technology can help.

COVID-19 has created a busier schedule for hospital employees than has ever been seen before. However, during this health pandemic, we want you to focus on what you do best. Worrying about cyber threats is our job, not yours.

At Scale Technology, we can give you the best guidance on ransomware protection, as well as other useful methods that will help keep patient data safe. We can also monitor your healthcare IT solutions to ensure best practices in healthcare security. Give us a call at 501-213-3298, or contact us online today and let us take care of these security threats for you.

How Weather Changes Can Affect Data Security

October 30, 2020

Whether or not you believe in climate change, the weather has been fluctuating wildly across the country over the last few years. Hurricanes, tornados, huge storm systems, flash flooding, record-setting heatwaves, and wildfires seem to be becoming the new normal. And while these events can greatly affect properties, they can also compromise your practice’s privacy security and electronic health records.

Here’s how to plan for backup and disaster recovery solutions and how to secure medical health records with information technology (IT) in a weather-related event.

Planning for natural disasters

1. Backups and data recovery

Tornados, hurricanes, flash floods, and major storm systems can cause major damage to power lines, breakers, cell phone towers, and other power sources and infrastructures. Sudden power surges and outages can fry plugged in computers, modems, and servers. This is why having a plan in place for data backup and recovery in healthcare is so important.

If your computer were to get zapped by a lightning strike or power surge, would you lose months of work because it’s saved only on that computer? How often do you back up your electronic patient records? Once or twice a day? Is that enough when you consider how many patients you see in a day? Moreover, how many records would be permanently altered by a loss of data entry?

To protect your practice’s privacy security and electronic health records, consider implementing your data backup and recovery in cloud computing systems. Professionals recommend that you take a backup of your entire system at least every fifteen minutes. This will ensure that you can always fully recover in the face of weather-related disasters. It will also ensure that patient data is better protected.

2. Implementing redundancies

Depending on your specialty or type of facility, you may or may not be able to comfortably suspend services in case of a power outage or a WiFi outage. How many devices are Bluetooth or WiFi connected? How many of your electronics are plugged directly into outlets and cannot run without power?

You don’t want to get caught in the middle of a surgery or other delicate medical procedure without access to power or the Internet. Even if you’re just doing administrative work, imagine losing an entire chart that you just detailed. What if you couldn’t log in to send an important prescription to the pharmacy before it closes?

This is why setting up power and WiFi redundancies for your practice should be a key component of your disaster recovery plan. You can install generators for power, and secondary WiFi sources (through a different provider!) to make sure that you don’t lose connection. You can also install ethernet connections, which are old school but effective in emergency situations.

Just remember that in case of a city-wide blackout or if cellular towers are destroyed by a natural disaster, there may be no internet alternative. This is why having a solid cloud-based backup recovery plan comes in handy.

3. Physical access

When you think about natural disasters, you might think of the damage that can be caused by water, lightning strike, or fires. However, you might not think much about the human element of danger involved during a natural disaster. Unfortunately, there are plenty of hackers who would love to take advantage of a closed and vulnerable office or stressed security measures.

That’s why adhering to the best data access security practices is so important, especially in the healthcare industry. You don’t want to face astronomical fines for endangering your protected health information (PHI) privacy security and electronic health records.

To increase your data access security protocols, consider using password-protected firewalls, requiring password changes from employees every 90 days, and creating a hierarchical information access policy. This hierarchical policy is important, because it means that employees will only have access to the data that they absolutely need to access.

4. Regular maintenance

Another key component of a successful disaster recovery plan is regular maintenance and upkeep. This means completing both physical and digital checkups of your systems and equipment on a regular schedule. For this, IT professionals recommend at least once a quarter. You can have a recovery plan in place, but if your backup WiFi router blew out a year ago without being replace, it would be all be for nothing.

Physical maintenance checklist

Make sure that you have surge protectors (not just power strips!) installed for all important and expensive technology.
Check your redundancy equipment, and make sure that it runs correctly.
Keep all electronic equipment free of dust, and clean it regularly.

Digital maintenance checklist

Make sure that all of your computers and devices are running on the latest software and anti-virus updates.
Check your backups to ensure that they’re uploading correctly and that they work with your updated systems.
Implement patches as they come out.

For more information

Scale Technology specializes in healthcare IT services. We’re a full-service managed IT services provider, and we offer a robust offering of data backup and recovery systems. We also offer HIPPA-compliant security services. From policies on the meaningful use of electronic health records to the physical installation of redundancy systems, we do it all.

We’re happy to perform an assessment of your current network, and offer you a full run-down of the updates and regulatory compliance that you need to be HIPPA compliant. Don’t wait until a natural disaster strikes. Make sure that you can bounce back quickly, and get back to doing what you do best: serving your patients.

If you want to ensure that your privacy security and electronic health records are air-tight, contact Scale today at (501) 222-8991, or submit this form to request a consultation.

How safe are health tracking apps?

September 29, 2020

In recent years, IT in healthcare management has become a hot topic among people everywhere. In the United States alone, 45% of people have used products like digital health apps and fitness trackers, according to Gallup research.

While it’s undeniable that these apps can make staying fit and keeping up with your dietary regimen much easier, they also present a potential risk to your data security.

These devices collect millions and millions of gigabytes of user data on a monthly basis. Even though a good number of companies behind these apps abide by HIPAA-sanctioned data protection guidelines, they can’t guarantee the safety of your personal information.

Today, we’re going to talk about electronic health record security, including how many health tracking apps actually collect user data, in what ways this data collection can affect your personal life, and the most effective data security tactics and best practices you can implement to better protect yourself.

How Many Apps Share Your Private Data?

Modern entrepreneurs have been transforming healthcare with IT for more than two decades. The resulting healthcare apps can now help with everything from tracking your prescriptions and fitness progress to measuring your blood pressure and heart rate in real time. However, a recent study from the BMI Journal has shown that these apps also pose a great risk to consumers’ privacy.

For this study, researchers took 24 random health tracking apps from the top 100 apps in the Google Play store and examined their data-protection capabilities. What they discovered was astounding: nearly 80% of the apps in question were shown to share data in ways that violated user privacy. In particular, many developers and their parent companies share user data with 3rd-party organizations, who, in turn, sell that data to 4th parties and so on.

How Data Collection May Affect Your Life

You may be thinking, “Sure, these apps may be collecting my personal data, but what company doesn’t do that nowadays?” This may be true; it may seem pointless to worry over health tracking apps when there are other apps that follow similar practices. However, it doesn’t benefit to ignore the dangers completely. Data collection can negatively impact your life in several ways over time, including the following:

All Your Basic Personal Information Gets Shared

App developers collect user information for data analytics, which helps them in improving their services. Unfortunately, the collected data is often shared with other companies, who then sell it to 4th-parties like Facebook and Oracle.

This shared data often includes all of your basic info, such as your name, age, gender, height, weight, email address, and more. Having this information shared may seem harmless on the surface, but it tells outside companies several details about you that can prove harmful if misused.

Your Personal Device Gets Overrun by Advertisements

Even though the apps you download may not cost you any money, the companies behind them still need some way to make a profit. Often, these so-called “freemium” apps earn their money by sharing your identifiable information with advertisers and allowing advertising networks to track your mobile device. At best, it can be a nuisance; you may find that you see more and more advertisements as you use the apps. However, these ads can lead to targeted ads, which monitor your online behavior in much more invasive ways.

Due to Poor Security, Your Data May Be Leaked At Any Time

More often than not, health tracking applications transmit data over insecure networks. What’s worse, some of them don’t even encrypt the data, making it far more vulnerable and easy to breach. If you think this won’t happen to you, just keep this fact in mind: in the biggest healthcare data breach last year, more than 25 million files were leaked. You can’t be too careful—it pays to fortify your data security however you can.

4 Electronic Health Record Security Methods

You can’t prevent development companies from collecting certain personal data, like your first name, surname, and email address. But, you can use certain tactics to reduce data collection. Let’s talk about data security methods and best practices for protecting your personal information.

1. Select Your Health Apps Wisely

Most healthcare IT experts recommend that you take some time to research the apps you’re interested in before you even download them. One way to do this would be to talk to your insurance agency and see which apps they recommend. Apps suggested by reputable sources of this kind are far more likely to follow security guidelines and fall under data privacy laws, and they may even prove to be more useful than some of the apps you might come across on your own.

2. Make Sure to Read the Privacy Policy First

If you decide to simply download a few apps without consulting anyone, you should still do a few things to protect yourself. Although it may seem obvious and simple, reading the privacy policy is one of the best practices in healthcare security. Be sure to check whether the company shares information with 3rd parties. If this is not clear in the policy, you should avoid the app.

3. Google the Company From Time to Time

You may find an app that appears to have a solid stance against data sharing. However, just because the privacy policy says that the company doesn’t share data with 3rd-parties doesn’t mean they won’t change the policy later on. As technology advances, so do the practices of individual companies, and the resulting changes can sometimes be for the worse. Make sure to research your app from time to time and see if there are any big developments you might’ve missed.

4. Check the Privacy Settings on Your Apps

Another thing you need to do as soon as you install any new app on your device is to check the privacy settings. Carefully examine the permissions the app is asking for. For example, some apps request very little access. However, if the app is asking to access your contacts, location, or microphone, you should take it as a red flag and stop using the app altogether.

Take Control of Your Electronic Health Record Security Now!

We’ve covered all the basics. In general, you’ve got all you need to know about your privacy security and electronic health records right here. If you don’t want to go over the entire article again, here’s a quick rundown:

Make sure to research/check all apps before downloading them
After you install an app, take the time to read its privacy policy
Research the companies behind the health apps you’re using
Go through the apps’ privacy settings and limit data collection

When it comes to data security, these are the best practices. That said, you can’t go wrong asking for additional help from the experts. If you are worried about data security in your practice, contact Scale Technology today. Ask for a meeting—we are happy to help you one-on-one. Let us give you the tools to improve the safety of your clients’ data in no time.

The Latest Trends in Email Phishing and What You Can Do About Them

September 9, 2020

Societal investments in tech development and advancements in the consumer experience are making data as precious as a natural resource. Valuable information like patient data welcomes unwanted cyber-attacks. Learning how to protect patient data and other aspects of your business is absolutely critical to any company. In healthcare, protecting patient data becomes even more important because doctors’ offices and other facilities hold a lot of very vital, very personal information.

According to HIPAA Journal, “Phishing attacks are becoming a greater threat to the healthcare industry than any other attack vector.” Phishing is one of the most common hacking tactics used to access patient data and even slip ransomware into your system. Patient data can be used to create fake identifications and all manner of nefarious (but lucrative) items. Ransomware is a hacking technique in which stored data can be essentially kidnapped and held for ransom.

Being aware of the latest phishing trends is vital not just for protecting patient data but for protecting your entire business. Check out some of the current, most popular phishing techniques and what you can do to stay ahead of the game and protect patient data.

Social Media Infiltration and Insecure Links

Engaging with multiple social platforms on a daily basis has become essential to many businesses. Hackers have fashioned their tactics around this frequently used but often poorly protected asset. If your company has social media accounts, it is vulnerable. Depending on the object of the attack, hackers may wind up rummaging through their victim’s personal information — patient data and company data.

Using HTTPS websites has become a more common means of phishing — the use of these sites has increased by 900% since 2016. The “S” in HTTPS stands for “secure,” and this is supposed to be the big difference in HTTPS (versus HTTP sites). The trick is that the links are not actually secured. When information is entered, the phishers then have access to your email address and password at best and potentially other important information.

Common attacks in this field stem from fake social accounts. Attackers send direct messages to real users, linking them to insecure pages designed to capture their login data. The more personal approach in social platform attacks makes this even more dangerous.

Important Email Mimicry

A 2018 Verizon Data Breach Investigations Report found email was the primary means of entry in 96% of data breaches. In a survey of 1,300 doctors, The American Medical Association and Accenture found that eight out of ten doctors had been cyber-attacked — more than half by a phishing email.

Even the most cautious employee can be caught off guard by an email from the boss. One of the more devious phishing trends comes from an email address with a domain mimicking that of the company. The recipient is asked to respond to a link that looks like a company survey. In one fell swoop, a patient data security breach occurs, and the entire organization can be infiltrated.

Furthermore, some emails are designed to look as if they come from reputable banks and credit organizations. The included links then allow malware to start mining cryptocurrency on the infected computer. Harvesting credentials can also occur this way — “a phishing template that employs a custom web font to implement a substitution cipher (among other techniques) to render well-crafted phishing pages” allows phishers to steal the recipients’ data without leaving evidence behind.

Fake Email Attachments

Opening an attachment or clicking a link might seem harmless, but the results can be catastrophic if it comes from an unchecked source. New ransomware tactics will use these as entry points into a company’s data storage. These attachments may target work-related topics like “HR Payroll Dates Change” or “Company Card Fines.” Links might look like serious, important, work-related pages. The titles are used to overwhelm the employee, making them overlook telltale signs of fraud in a rush to open the email.

In truth, however, these links can contain viruses (like the Emotet trojan in 2019, which got sent to one million email addresses in just one day) or, again, links to unsecured sites that allow hackers into your system to access data or important company information.

Other Forms of Phishing

Every emailing platform eventually updates, generally through downloads. Disguised as an update, many employees fall prey to downloading a malicious threat. This phishing technique will lead the victims to another site with a fake login page. Instead of updating their system, it steals personal information.

Even mobile devices are at risk now. Although this is not an email scam, many phishing schemes use text messages, often linking you to the site where you can “collect your $1000 Amazon gift card!” or warning you of the “final notification regarding the USPS delivery” from a past date. You can only view these links on a mobile device, and they are pretty much guaranteed to hack into your phone and/or store your login credentials for future reference.

Phishing may make use of multiple folders so that every time the site is opened a new page loads. This keeps the site open longer and allows hackers to access hundreds — if not thousands — of pieces of information, belonging to companies, private individuals, and — you guessed it — your patients.

How to Protect Patient Data from Phishing Scams

Educate Employees

One of the best ways to stay safe is by staying educated. Make sure to engage in cloud data security best practices, potentially even making documents about it widely available for your company. Designate a specific employee or employees to periodically read up on phishing trends and other current hacking scams. Have them update key employees or make time for periodic reports, including any employees that use a company email or access the internet.

Everyone with a business email at your company should know how to protect their email address. Keeping company emails safe is vital to protecting patient data. Make sure to take steps so all your employees know how to use their company addresses safely. Avoid signing up for newsletters from unknown sites, and pay attention to emails from people you do not know — even if their name comes with “VP” attached.

Keep Up With Cloud Data Security Best Practices

Healthcare businesses have valuable patient data, so a data backup and recovery in healthcare information is a must. Having a backup system is one of the best forms of security. Using the cloud, as long as you take the appropriate precautions, can be a great protective measure.

Companies can lose hours and smaller businesses may forfeit a whole day trying to get patient data back from a ransomware patient data security breach. Smaller companies are more likely to lose more time, which is much more expensive for them too. Unfortunately, small and mid-sized businesses are also less likely to be able to afford in-house IT security services.

Invest in a Managed IT Security Service Provider

The best option for smaller companies is leaving it to the professionals; of course, any company can benefit from a professional IT security provider. Managed IT security services providers are a great option to help you tackle security and data management and to keep patient data protected. Managed IT security services providers can also do things like provide safer email platforms, improve operational efficiency, and ensure your company is using cloud data security best practices. The best part, of course, is that it requires very little of your time!

For More Information

Tired of trying to keep up with the ever-changing methods of hackers? Let Scale. Scale Technology is a managed IT security services provider. We can take over your IT security measures and make sure you have the protection you need. We understand how important data backup and recovery in healthcare is, and we know how to protect patient data from phishing schemes, malware, and ransomware. To get started with a consultation, contact Scale today!

Receiving Hospital Treatment? Here’s What You Can Do to Protect Your Privacy

August 24, 2020

During a stay in the hospital, it’s likely that your cybersecurity is one of the last things on your mind. But hospital data security is increasingly becoming the target of ransomware attacks, phishing scams, and data mining schemes. And while patient data security and IT healthcare compliance are an increasing concern among hospital administrators, there are still steps you should take as an individual to keep your personal information safe.