In early January, 2020, ehealth, the computer system that stores the health information of patients in Saskatchewan, was hit by a ransomware attack. Their anti-virus software raised the alarm quickly but even then, it was too late to completely stop the spread. Although no data has been tracked leaving the system - indicating no patient data has been compromised - the organization has had challenges getting jobs done because access to some files is blocked. According to their website as of writing, “Some services have been disrupted and may not be available during this time”.
Clearly an anti-virus software is not enough. The defense against ransomware is a constant battle and requires the use of the right tools. This infection got through a robust security team that already records and fends off “thousands and thousands of attempted attacks each day”. The organization states, “we take our duty to protect the privacy and confidentiality of health information very seriously. We have robust safeguards in place to help keep this information secure and confidential.”
In the wake of the cyber penetration, staff are putting in days of work securing the rest of the system and working with vendors on recovery efforts. They stated that once they assess and repair the damages, they will work on trying to figure out how the attackers got in to begin with. The company is still unsure of how long this process will take.
Your defenses need to be right all the time
EHealth is a public organization that follows privacy protection regulations to the letter. It is crucial for clinics to understand that relying on antivirus software or a list of policies and procedures on a shelf is not enough to protect your clinic from an attack.
A 2018 study by Verizon found that 59% of healthcare breaches were caused by internal actions. Meaning that clinics need to train their staff on how to handle patient information and provide the correct tools to communicate PHI. Any staff accessing email on your network should be training to recognize phishing and spam emails (80% of ransomware attacks get in through email).
Privacy compliance and privacy breach prevention are not the same
Most privacy regulations (HIPAA, PIPEDA, HIA,...) do not make recommendations or list requirements regarding which communications technology to use. While traditional email is excluded from compliance because of an innate lack of security, encrypted email could pass the compliance test under certain conditions. However, since the majority of malware and ransomware infections are caused by inbound email, continued use of email (encrypted or not) is a massive risk to your clinic and an open door for cyber attackers.
Brightsquid Secure-Mail is one of the few systems that protects patient information entirely and allows clinics to communicate with other clinics and patients in a way that blocks ransomware from infecting your clinic. There are many other systems that may pass as compliant but will not fully protect your clinic, it’s important that you know ransomware is being blocked, clearly antivirus is not enough. Read more about how Brightsquid earns 5 stars across all reviews.