It is important to have a qualified IT Company perform many of these steps that I will outline below. Some may be able to do so on their own, but, some of these items requires a certified professional. The days of the "Backyard and Basement IT guys" is over, the educated and experienced IT Professional is clearly the way to have a healthy IT infrastructure. I always tell my students and practices that I consult, ask the questions:
- Where did you attend college?
- What certifications do you have?
- What medical customers do you have?
- Do you know HITECH and HIPAA?
- Have you ever done meaningful use?
- Do you have experience in clinical medical and clinical training in both EMR/PM/Interfaces?
- Do you have a fast turn-around time?
With that, let's steer back to the road assuming you have a qualified IT person, and discuss the steps the IT person should be doing to prevent a serious practice ending ransomware. Now, first, let's clarify one thing, NOTHING is perfect or full-proof, it is a series of steps in total that equal the 99% prophylactic that should help to prevent the deadly ransomware infections. Let's begin:
- Educate your staff on what to, and what not to open on a browser. This means they should not be surfing shopping, song, sex, car, fighting, or any other non-business related websites. Educating the employee is simply the best way to prevent virii, malware, or ransomware in general. Most of the serious infections I have seen have come via email and websites to employees of the practice/business.
- Do not use personal email at the practice, once again EDUCATION. Not only is this a potential HIPAA violation, but, it is not a monitored email box with the appropriate anti-viral additions. Email is another fast route for infections. Think about it, you have an email in your inbox that says, I LOVE YOU. What do most people do? THEY OPEN IT!
- Make sure that you have a good enterprise level antiviral at the machine and at the gateway level. This all boils down to your IT people. They should understand this. Let me quickly explain for the folks who do not have as much IT experience (No shame intended whatsoever). AV and AMW (Anti-virus and Anti-malware) are used to protect each person from the computer level. That means that if you go to a website or open up an email the AV/AMW should help to pick up many threats and stop them. The addition of the gateway AV inspects each packet incoming and outgoing to look for threats that may come in "around" or "not through" the workstations. **
- Lock down permissions on shared drives. Only assign permissions to those who absolutely need them. **
- Implement the proper server policies to prevent certain items from being committed on the server.**
- Monitor for breaches and prepare to report them if need be. The OCR (Office of Civil Rights) requires a breach notification to be done in case a breach of patient data has occurred. (I am not a lawyer, so please consult an attorney for further information on this subject) Review Here Click **
- Backup all data! I recommend an offsite backup (with a qualified entity). Make sure they have double sided encryption (meaning data is encrypted while sending to the site, and while restoring from the site).**
- Practice for a catastrophe...Practice does make perfect.
- Unplug (physically or virtually) the necessary computer(s)/server(s) from the network to isolate the infection immediately.**
- NEVER PAY RANSOM!**
Good luck in this new world of serious technology threats!