In May, Great Britain’s National Health Service (NHS) was hit by a large-scale cyber-attack. Some hospitals and practices across England and Scotland were unable to access patient data, after their computers were locked by a ransomware attack demanding payment in virtual currency, Bitcoin. However, there was no evidence that patient data had been compromised. The attack was not limited to the NHS. Other countries and organizations were hit as well.
In response to this international ransomware attack campaign, the US government is distributing information to healthcare entities and public health organizations through the ASPR Critical Infrastructure Protection Program. This unique public and private sector partnership is a coordinated effort to ensure that healthcare facilities have the plans and programs needed to prepare for threats to their infrastructure and manage risks. They also offer resources for help with the aftermath of a disaster or emergency. For more information about them, visit: https://www.phe.gov/preparedness/planning/cip/Pages/default.aspx.
Keep your employees up-to-date through ongoing education and training to avoid Phishing scams. The best defense is a strong offense. Make sure your practice has a capable IT firm that keeps up with the latest in anti-virus and other security software.
OCR provides cybersecurity guidance materials including a cybersecurity checklist, ransomware guidance and cyber awareness newsletters at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html.
In the event of an attack
If your organization is the victim of a ransomware attack, contact the FBI, Field Office Cyber Task Force. You can find a local office here: www.fbi.gov/contact-us/field/field-offices. You can also contact the US Secret Service Electronic Crimes Task Force: www.secretservice.gov/investigation/#field. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime. Then report cyber incidents to the US-CERT (www.us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (www.ic3.gov).