5 Steps to Protect Your Healthcare Practice from Ransomware

While ransomware attacks are on the rise in nearly every industry, healthcare has been hit particularly hard. And it’s not difficult to imagine why; medical practices are a treasure trove of financial and personal data. That makes you an attractive mark for criminals looking to use this data or sell it on the dark web.

To make matters worse, smaller practices are becoming a popular target for ransomware attacks. According to a 2022 report from cybersecurity firm Critical Insight, incidents in small practices increased from 2% of all industry attacks to 12% in just one year. The days of thinking you’re safe because you’re not a large hospital or organization are long gone.

Plainly put, a ransomware attack can cost you dearly. Operations come to a halt, leaving you without the ability to bill for services or process payments. Current and potential patients could lose their trust in your ability to protect their information and take their business elsewhere. On top of that, you could have potential penalties and lawsuits that plague you for years.

With revenues already being impacted by personnel shortages, COVID, regulations and more, these threats to your financial stability are the last thing you need. It is important to take these steps to protect your practice from a ransomware attack.

Secure devices

Make sure any devices used to access your network and EHR applications are protected with an advanced, layered security stack beyond just a basic firewall, antivirus and spam-filtering software. (An IT professional can help with this.) As a best practice, don’t access your software with a device you also use to check social media sites and free email accounts like Gmail or Yahoo. Keep personal activity off of your key business systems.

Strong passwords

Maintain passwords consisting of at least sixteen characters (with both uppercase and lowercase letters), numbers and symbols. We strongly recommend using a pass phrase with multiple words instead of just a single word. However, avoid the more common, readily identifiable phrases like “We the people” or “Is this the real life?”. (Check out more information on robust, effective passwords.)

Multi-factor authentication (MFA)

MFA is the leading method to protect you from a compromised password and should be set up for any device logging into your organization and any application you use. It requires a second verification step after your password, providing another layer of protection if your password becomes compromised. Your account cannot be misused if that second verification doesn’t succeed.

Insulated data backups

Hackers often target your data backups first to keep you from weathering an attack without paying their ransom. So back up your data regularly and store it in a safe location separate from your main production network. This is often referred to as air gapping your backups. Air gapping minimizes the chance an attacker can damage your data backups.

Speaking of data backups…

Set up a ransomware-proof data backup system and process.

Data backups don’t do any good if they’re compromised or otherwise inaccessible when you need them. Yet we see many practices store their backed-up data along with the rest of their data and technology on the production network and in the same server room. This makes your backup just as vulnerable in an attack or at risk during a disaster.

A ransomware-proof backup is shielded from attack, and you can achieve this with a few basic principles. First, as we’ve already discussed, airgap your data backups so they are logically and physically separated from your production system.

Second, always maintain multiple copies of your backups. Have a locally stored (but still air gapped) copy of your data. The local copy allows you to back up everything quickly, and often with quick data recovery.

Your second copy of data should be off site. This can be in the cloud somewhere or even in a geographically distanced office. Just make sure the data stored in that second location is not the same as the production data used in your system for regular operations. (Note that air gapping recommendations still apply in remote locations).

Document your data backup and recovery processes in your Disaster Recovery Plan (DRP) and test them routinely. A ransomware attack or other emergency is not the time to discover key information is missing from your processes — or that your backups have not been working.

Some of the key information that should be found in your data recovery process include:

  • Key persons contact list
  • Primary vendor contact lists
  • The locations of your backup systems and data.
  • Basic data recovery steps
  • Advanced failover steps to business your continuity solution. Failover to a business continuity solution is typically performed during a severe attack or disaster that is expected to cause an extended production interruption. You can liken this to putting a spare donut tire on your car if you get a flat. You can’t run forever on it, but it’s enough to get you to a mechanic.
  • Steps to failback after the disaster has passed. Failback is when you restore your network from your backup once the situation is resolved. Using the flat-tire analogy, this is like replacing the donut with a new tire. Unlike the steps to failover (during which the organization is already experiencing a production interruption), failback has to be carefully orchestrated to minimize further production interruptions and prevent the loss of any work effort generated while working in the failover.

By the way, these steps are important for more than ransomware attacks. Let’s say a fire or natural disaster damages or destroys your building. If all data backups are stored at that building, or you have no set procedure to access them remotely, you’re stuck.

Keep your applications updated.

Thousands of hackers get up every morning with one goal in mind: Find a new vulnerability in commonly installed software (like Adobe, Microsoft Office, Chrome, QuickBooks, etc.) and gain access to millions of their users.

Companies frequently announce patches and updates for known security flaws. When they do, hackers work quickly to figure out how to leverage that vulnerability. They’re counting on users who are lazy about installing updates (and therefore susceptible to ransomware attack).

Neglecting to implement these patches and updates puts your network at risk. Watch for manufacturer notifications — and follow their instructions promptly if you get one.

Secure your cloud!

Cloud-based software provides several benefits to your practice’s operations, from easier collaboration to a better distribution of resources and even advanced disaster recovery and business continuity options., However, it also places your data on systems that may be outside of your direct control, not behind your firewalls or completely within your maintenance cycles. That brings a greater risk for breaches and ransomware attacks unless you make the extra effort to harden the systems you do control.

Train your employees to be vigilant about ransomware.

Most attacks happen when an employee clicks on a malicious link or opens an infected attachment. There wasn’t any bad intent from the employee; they simply didn’t know what to watch for. The most common tactic is an email with an attached file or link leading to a site that installs ransomware. This tactic is called phishing; it can also be done via text (smishing) and phone call (vishing).

Social engineering is also a popular method with cybercriminals. A hacker pretends to be someone you know by using personal information gleaned from your social media or other outlets. The goal is to deceive you into providing information or sending funds.

Ever get an email supposedly from a colleague or boss asking you to buy a gift card for them? That’s a common social engineering strategy. You might also see someone standing at a secure entry point until an employee walking in is “polite” enough to hold the door for them. That stranger might seem okay; maybe they’re dressed as a delivery person or repair technician for your medical equipment. But once they’re in, they only need one unlocked (and unattended) computer to wreak havoc on your practice.

In nearly all cases, ransomware attacks can be prevented when employees know the red flags that indicate them:

  • Emails from unfamiliar sources – If you’ve never heard from the sender before and the email includes a link, attachment or request, ignore it.
  • Suspicious attachments – If you don’t know the sender (or if you do, but you weren’t expecting them to send a file), don’t open any attached files. Doing so is likely to release ransomware on your computer so it can quickly run through your network.
  • Requests to log in or provide a password – Legitimate companies generally don’t send you a link to log in to a portal. They’re more likely to tell you to go to their legitimate page and log in that way. And they definitely don’t ask you to tell them your password.
  • A sense of urgency – Anything requiring you to “act now!” to avoid a supposed penalty or take advantage of an offer is designed to make you act without thinking.
  • Misspelled URLs – A slight misspelling or inaccurate suffix usually leads you to a hacker-built page. (For example, www.faceboook.com has an extra o, while www.dropbox.net ends with net while the real website ends with com.) This page looks like the real deal, but it’s rife with ransomware and other cybersecurity landmines. Check spelling carefully to avoid this trap.
  • Misdirected URLs – Hackers might also spell out the correct URL text on the email but route you to a different URL when you click. You can detect this by hovering over (not clicking!) the link. A small popup message will show you the URL it actually follows. If it’s different than what’s in writing, stay away.
  • Unfamiliar personnel on site – Watch for anyone not normally seen at your practice, and never leave computers or other equipment unlocked and unattended. (Also, leaving computers unsecured and unattended could be a HIPAA violation.)

Get help from IT professionals.

While the steps outlined here help establish an environment safe from ransomware, much more can be done. That’s where IT professionals come in. They can assess your tech environment, implement advanced solutions that block suspicious sites and beef up your existing equipment, and provide other ways to protect your network.

Whether you utilize your in-house IT staff or hire a technology consultant, their knowledge and experience take your precautions to the next level. And when they work with your healthcare CPA, they can target their efforts to best protect your healthcare practice’s revenue cycle, operations and sensitive patient data.


All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.