Salt Lake City—For any organization, data security is crucial. But when the information you’re trying to protect is people’s medical records—information that could save their very lives—keeping that under lock and key becomes paramount.
One of the most common threats against information, and increasingly directed towards medical organizations, is ransomware, said Christopher Droubay, a shareholder with Snow, Christensen and Martineau at the Utah Business Healthcare Solutions Summit on Tuesday. Combatting this threat boils down to preparation, he said.
“In a ransomware situation, that backup is the key,” he said. “If you have access to the data in another form, the power the ransomware has over you is gone.”
Ransomware is a form of malware that encrypts a database’s information, and then the makers or senders of the ransomware demand a sum of money in exchange for the key to decrypt that information, said Droubay. In years past, that amount has been in excess of $100,000, but the blight has recently become common enough for the price to drop, usually to the several-thousand range, he said. For companies who don’t pay the ransom (which is the route usually recommended by security experts), without regular backups, the attack has cost the company years of irreplaceable data.
Like a germ burrowing into a body through a small cut, malware, including ransomware, infects a system through a tiny flaw in the security. Most of the time, that flaw is human error, usually in the form of clicking on a link or otherwise inadvertently downloading the bug.
“This doesn’t just come from the lower levels,” Droubay said. “Often I’ve seen this happen in the C-suite. Several times I’ve seen this happen in the IT department.”
To help mitigate the chances of malware getting into a system, Droubay recommends training employees of all levels to be cautious and being careful with even legitimate-looking emails. He also reiterated his recommendation of backing up all data, and doing so frequently and securely. And if the worst happens and a system is compromised, Droubay urged companies to immediately make steps to make reparations—data security experts can help companies figure out just what that looks like for them. And last but not least, he said, companies who have had a breach need to be honest and up-front with their customers as soon as is reasonable about the potential exposure of their data.
Droubay referenced the Equifax breach, when the company waited several months before alerting potential victims of the breach.
“Don’t wait months to do this,” he said. “Waiting will just make [regaining customer trust] even harder.”