Originally published July 2017
A routine day at a busy community clinic suddenly turns frantic when its computer screens display an ominous message and accompanying instructions: “Your files are encrypted. To get the key to decrypt files you have to pay USD$500.” The jumbled mess of cryptic symbols showing up in the computer files confirms it: the clinic has been hacked by ransomware.
Ransomware is computer malware that encrypts electronic files, essentially locking users out of their computers, and only the hackers have the key. The hackers hold the files for ransom and try to extort money to restore access. By the time you become aware of the attack it is usually already too late, and any files connected to the computer system may be compromised.
It’s a distressing worldwide problem, and physicians in Canada are not immune. Members have told the CMPA about ransomware incidents affecting their practices and EMR systems—events that can cripple a clinical practice and put patient care at risk.
Two principal medical-legal issues arise from ransomware. First, patient care may be impacted if health providers cannot access their electronic medical records (or any other relevant electronic files). Second, because ransomware may result in loss of information or allow hackers to access personal health information contained in the electronic files, a ransomware incident should generally be treated as a privacy breach pending further investigation. Depending on the jurisdiction, it could be necessary to provide notification of a privacy breach to the affected individuals or the privacy commissioner, or both. Contact the CMPA for further guidance.
It is imperative to take steps to both protect your computer system from malware and to mitigate the damage from a possible malware incident. Owing to the myriad of ways a computer system can become compromised, prevention strategies, while essential, may not be enough.
There are various ways to reduce the risk of infection. Learn to recognize and avoid phishing scams. Do not open unsolicited email attachments. Seek advice from experts about implementing a layered approach to securing your computer system including employing firewalls, web scans, and up-to-date anti-virus software.1 And provide information security training to clinic staff to instill awareness of malware and routine precautions to take.
Perhaps the best defense, however, is to plan ahead to limit the damage and recover quickly from an attack. Segmenting systems (i.e. setting up the computer network so that one part can be quickly disconnected from other parts of the network and the Internet) may help prevent the spread of infection. Recovery is likely to be more successful when files are backed up regularly, backed-up files are kept on a separate system disconnected from the main system (physically or via cloud backup), and the back-up systems are tested regularly.1
The decision of whether or not to pay a ransom rests on your assessment of the risks and whether you have good backups and can recover quickly. The ransom can be considerable, and payment provides no guarantee that the information will actually be recovered. When patient care is at risk and restoring access to medical records quickly is important, paying the ransom is one option—though not the only one. Online tools such as nomoreransom.org, a site backed by a group of recognized cybersecurity companies, offer to unlock encrypted files at no charge, though the capability of the service is limited to only some types of ransomware. Law enforcement agencies and cybersecurity experts urge victims not to pay the ransoms, as the proceeds of such extortion encourage further criminal activity and lead to other victimizations. As a CMPA member, if you choose to pay the ransom the payment remains your responsibility.
If you experience a ransomware incident, once you have promptly contacted your IT specialist and reviewed your options, it would be prudent to take reasonable steps to ensure continuity of patient care and focus on any urgent patient needs or follow-up. You may also report the incident to the Canadian Anti-Fraud Centre, and contact the CMPA for more information.
- International Association of Privacy Professionals [Internet]. Portsmouth (NH). Death, taxes and ransomware. 2016 Aug 22 [cited 2017 Feb 9]. Available from: https://iapp.org/news/a/lessons-to-be-learned-from-ransomware/