Q&A: Protecting against ransomware attacks

Q: We’ve had staff members handling PHI remotely for the past month or so. We have not experienced any data breaches to my knowledge, but I’m a little worried as I read about the surge in hacks and ransomware targeting healthcare entities. What are the most important steps we can take as an organization to minimize the risk of being exploited?

A: Education is a great first step. It is important to train staff on good security hygiene, such as steps to take to avoid clicking on a malicious link. Many of the cyberattacks that are occurring now are the result of what is called human-initiated attacks. What that means is many of the successful attacks are the result of someone inside the organization clicking on a malicious link. Education should also not be a one-time event. Now is a great time to periodically send all staff security reminders about keeping passwords complex, not clicking on suspicious links, what to look for to determine if an email is phishing, and so forth.

It is a good idea to make sure you have a policy on working remotely that has been read by employees and is followed. When working remotely, you are creating a separate environment that needs to be protected just like it would be in the hospital, the clinic, or an office. Employees need to create a separate work environment in their homes that protects PHI and the workstations that are used. That means logging off when you are not at your workstation, isolating the workstation and associated media from other members of the household (as much as possible), using crosscut shredders, and not having conversations with co-workers that involve discussing PHI when family members are in earshot. Employees may be working remotely, but that doesn’t mean they can let their guard down when it comes to protecting PHI.

When it comes to telehealth, here are five steps from the FBI to help reduce video hijacking risks:

• Do not make meetings or telehealth appointments public. If you are using Zoom®, there are two options to make a meeting private: require a password or use the waiting room feature and control the admittance of patients or clients.
• Do not share a link to a teleconference or telehealth appointment on an unrestricted publicly available social media post. Provide the link directly to specific people.
• Manage screen-sharing options. In Zoom, change screen-sharing to “host only.”
• Ensure participants are using the updated version of remote access/meeting applications. In January 2020, Zoom updated its software. In the security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
• Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.