“Doctor, How Bad Is It?”
“I’m not sure, I can’t access your medical records to tell you exactly what the prognosis is.” Recently, this is what Virtual Care Provider had to tell its clients; that the technology services that they were providing were on hacker hiatus. In other words, they were hit by a ransomware attack, and until they came up with $14 million in ransom, they were locked out by cybercriminals.
Virtual Care Provider, a Milwaukee-based company services more than 100 nursing homes all over the United States.
A letter that went out on November 18th, one day after the attack was discovered, informed clients that about 20% of their services were affected by a virus, requiring 100 servers to be rebuilt. At the same time, they were working to see what, if any, client data had been compromised.
Hold Security, hired by the company to investigate, found that Russian hackers had infected their computers over a span of 14 months via phishing attacks.
Is There a Doctor Cybersecurity Expert in the Room?
Unfortunately for all involved, Virtual Care Provider is unable to pay the ransom, leaving many nursing homes without access to patient records, blocked from using the internet, issue paychecks, or even dispense medications. At the forefront of resolution is addressing life-threatening situations, but how many facilities are going to find themselves unable to survive in the long run? This may also be true of facilities who depend on insurance reimbursements who are unable to bill insurance and Medicare at this time. These businesses too may not be able to run and survive the ransomware blow.
With the 2019 average ransom paid being around $36k, this is almost beyond the scope of comprehension for victims. But it falls in line with an increase in attacks directed at hospitals and government agencies, as hackers know that they cannot afford to NOT pay the ransom and are the most likely to respond to ransom requests.
Preventative Care Plan
The saying goes, when you know better, you do better. And surely this has to be the overwhelming case when it comes to preventative cyber health care for these targeted businesses. Having a strong HIPAA compliance plan isn’t having cybersecurity in place. The two must go hand in hand to prevent and protect. That includes hiring the right people – not just appointing an existing employee or person to oversee it internally and having cyber insurance to recover should an attack occur. And based on all the odds, it will likely occur.