I recently read this article from the Cybersecurity and Infrastructure Security Agency regarding the ongoing ESXiArgs ransomware attacks, and it got me thinking about why our industry is such an attractive target for hackers.

From the desire for our teams to work efficiently to the need to share data across entities for optimal patient outcomes. However, the reason healthcare is consistently among the top three favorite industries for bad actors is that we are so reliant on our data. Everything from appointments to collections is dependent upon our systems functioning unadulterated, making our data valuable to us as an organization. When you add on top of that the reputational damage that can occur when news of a hack gets out, it becomes obvious hackers are fishing where the fish are.

Train and Test Your People

The glow of a screen bounces off the unshaven face of that weird guy from high school as he sits in a dark basement next to a stack of computers with flashing lights and whirling disks. Skillfully, artfully, methodically find his way into your systems… Makes for great movie entertainment, but this is not how the hack usually works. In reality, a guy in a coffee shop pushes a button and releases a flock of emails informing your staff that the HR department has a new policy for them to sign. All they need to do is sign in and read the document. And if they don’t do it by 5 PM today, their paycheck may be delayed. Shortly thereafter, someone is accessing your EHR and no one knows how it happened.

The most exploitable part of your network is not your computers – it’s your people. In healthcare, we are required by law to train our people. It’s not a burden, it’s an opportunity to find our soft spots and harden our environment.

Patch Your Systems

If you didn’t read the article mentioned at the beginning of this post, I’ll cut to the chase. The rapidly spreading EXSiArgs ransomware exploits a vulnerability patched two years ago. Make sure you have a patch program for all your systems that keeps laptops, phones, servers, printers, routers, firewalls, and anything else on your network up to date at least monthly. A strong patch program will apply updates more frequently based on how likely a hacker will be able to exploit the vulnerability and the damage that can result.

Risk Assessment

If you operate in the healthcare space, you are almost certainly subject to HIPAA either because you are a covered entity such as a medical practice, or because you are a business associate such as a revenue cycle management company. This means you are required by law to complete an annual risk assessment. Depending on the size and maturity of your business, this assessment can be straightforward with either this tool provided by HealthIT.gov or with outside help. No matter how you meet this requirement, remember that the goal is not to get a perfect score. The purpose of a risk assessment is to take a hard, candid look at your risk, identify areas for improvement, develop a plan, then execute that plan.

Bring in Help

Not everyone has the time, resources, desire, or even the need for dedicated IT staff. Fortunately, there are a number of companies ready and willing to fill any number of needs at an affordable rate.

The reality is that if you use computers, people are trying to hack your systems. Every day, all day. A quick look at any set of firewall logs will show thousands of attempts to breach your perimeter. Now the majority are clumsy attacks launched by lowbrow bad actors using any number of tools readily available on the web. These will show up as port scans, buffer overflow attempts, and other intrusion methods from which even the smallest of companies should be readily protected. But more sophisticated efforts are always being developed too. Don’t roll the dice with your technology.