An ounce of prevention is worth a pound of cure, as Ben Franklin once said. The same is true regarding ransomware and dental practices. Prevention, along with education and awareness, is the best defense. Practices must take the necessary steps and develop strategies to protect themselves now, because there is a good chance that an attack will occur.
In the spirit of prevention, below are five key ways that can help build a defensive, in-depth strategy to protect your practice against a ransomware attack.
1. Maintain secure backups
Backing up your critical data should be as second nature as brushing your teeth, but often those backup copies are not secure. If the backup data are in the same network or not secure and an attack reaches all the systems in your network, then the backups get encrypted as well. Having your backups under ransom is as good as not having backups at all. Consider carefully whether cloud or offline storage (DVD, tapes, or other means) of backup data is appropriate for your organization.
2. Advanced email scanning
Emailing filtering is common these days; however, the threats are more sinister than offers of free vacations or free Viagra. Ransomware hackers are crafting new, zero-day (brand-new) attachments, and phishing hacks to get into your systems.
Email is the easiest way into your network and is commonly the least secure. We have found that services such as Mimecast give robust attachment transcription (making an Microsoft Word doc into a PDF, for example) and more advanced virus and phishing filtering to help protect your end users.
3. Network segmentation
Keeping critical data and servers segmented logically from computers that are used for web browsing and email keeps your critical data safe. You can work with your local IT resource or vendor to put together a solid network segmentation configuration for your critical systems.
4. Create a response plan
Knowing what to do -- and not to do -- is critical if and when an attack happens. You'll want to have phone numbers handy, know where those secure backups are, and know how to get to them so you can recover quickly and efficiently. Ensure that the plan is written down and printed out (you don't want the plan ransomed) and that it's reviewed annually, at a minimum.
5. Staff training
At the end of the day, it's not the sophistication of an attack that determines its success, it's the weakness of the end user. As programs from the Sans Institute teach us, the most important security measure is end-user training. End users need to know about the following:
- Email attachment safety: Be suspicious of any attachments and only open if they've been screened by a third-party filtering solution.
- Clickable URLs: Never click hyperlinks (URLs) contained in emails. If you feel that the email is legitimate, then simply navigate to that location manually in your browser. Phishing emails that contain deceptive web addresses are an easy way to get ransomware into your network.
- Social engineering: Beware of people physically interacting with your computer systems and also attempting to extract data from you over the phone, pretending to be someone they are not. Require identification for anybody working on critical data systems in your office.
A lot more information on how to protect your practice from ransomware is available on the Internet. The ADA and U.S. Department of Justice also have information on their sites that can give you additional information. Please take the time to review this information and protect yourself and your practice. The investment made today could prevent your patients' health information from being illegally disseminated, and it could also save your practice a ton of headaches and money in the future.
Steve Godfrey is the chief information officer for NEA Powered by Vyne, where he leads the security and compliance team.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.