Your data may be at risk of being held for ransom. Ransomware attacks, including the recent wave of WannaCry infections, are on the rise, and organizations that handle sensitive health care and employee data are especially vulnerable.
Ransomware is one of many types of malware. Like other forms of malware, it often infects a computer system after someone clicks on a link, sometimes but not always found in an email. The ransomware then encrypts the files on the infected computer system. A message informs the victim that the files will be restored if payment is made. Although all organizations are potential targets for cybercriminals, ransomware attacks frequently focus on health care data.
On May 12, a ransomware program dubbed WannaCry caused panic around the globe, infecting hundreds of thousands of computers in 150 countries worldwide. Although many companies were affected, the UK National Health Service was hit especially hard. As a result, seven hospitals had to divert patients to other facilities.
The WannaCry incident is only the latest and largest in a string of ransomware attacks. The FBI reported 2,400 complaints and a loss of $24 million in 2015. In 2016, the problem became alarmingly worse, with the FBI estimating that losses could hit $1 billion.
The FBI does not recommend paying the ransom. Doing so may fund other criminal activities and lead to more ransomware attacks. It’s also important to note that payment does not necessarily guarantee all files will be restored properly.
Despite this, many organizations pay up.
The required ransom can range from a few hundred dollars to thousands of dollars, typically paid in Bitcoins. NBC News reports that the Hollywood Presbyterian Medical Center paid hackers approximately $17,000 to restore files after a ransomware attack.
Faced with the interruption of business that malware causes, payment may seem like the only practical option. For hospitals and other organizations that handle sensitive data, the situation is even worse. When hackers access information protected under HIPAA, the organization may be judged responsible for not doing enough to keep the information secure.
In April, the U.S. Department of Health and Human Services announced that Metro Community Provider Network had agreed to pay $400,000 after a hacker used a phishing scam to access the health center’s data. The University of Massachusetts Amherst paid $650,000 after a malware infection resulted in HIPAA violations.
Organizations must be proactive in their security efforts.
- Install anti-virus software and update it as recommended.
- Install patches and updates to software as it becomes available.
- Avoid installing software from unknown sources.
- Avoid clicking on links from unknown sources.
- Train all employees, regardless of position, on the importance of cyber security.
- Back up data regularly. Backup files should be stored on a separate system to ensure that they are not affected by malware infections.
Security is a growing issue for HR professionals and employers of all types. That’s why this year’s Travisoft University focus is “Securing Your Future.” Learn more about this must-attend event here and make sure you tsecure your company’s future.