Regular staff education and updated tools such as antivirus software are key to hospital ransomware protection strategies, according to Edward Zacharias, a partner at McDermott Will & Emery LLP.
“If you look at where ransomware attacks originate, for the most part, it’s through phishing or spear phishing scams. Really, the common denominator in a lot of these cases is human error,” Zacharias said in a HealthITSecurity.com article.
It’s imperative to teach employees to not click on links in suspicious emails, to only use USB drives issued by the organization and to not download information from the Internet, he says.
HIPAA requires that new hires receive training on privacy and security of patient information, he points out. This can be aligned to include best practices to protect against ransomware attacks as well as education on the organization’s policies and procedures. This training may vary according to the organization’s size and culture, he says. While there is no “magic number” for the frequency of training, it should be often enough to keep security top of mind among employees, but not be so frequent that it becomes a burden on staff.
Just this week, the Health and Human Services Department’s Office for Civil Rights released guidelines on HIPAA and ransomware. It notes that if a healthcare organization's computers are infected with ransomware, the government considers it a data breach unless there’s a “low probability” information has been compromised.
Zacharias also urged organizations to have a strong map of their various systems, and understand which ones are the most critical. That was one of the lessons MedStar Health learned after it suffered a ransomware attack, according to Craig DeAtley, the organization's director of emergency management.
To learn more:
- here's the article