Small Businesses, Medical Practices, and Licensed Professionals That Don’t Prepare For Ransomeware Attacks Are Playing With Fire

Your small business doesn’t provide most of the fuel for the Eastern Seaboard or process and distribute a huge proportion of America’s meat supply. But that doesn’t mean you shouldn’t be worried about ransomware attacks or other cybersecurity threats. The recent attacks on the Colonial Pipeline and meat processor JBS are just two high-profile examples of what has become a significant threat to companies, medical practices, and licensed professionals across a wide range of businesses and professions. 

A Ransomware or Other Cyberattack Can Be a Deathblow To Your Business

Every minute of every day, sophisticated hackers attempt to gain access to trade secrets, personal customer or patient information, and all other data that makes a company run.  Sometimes, the data itself has value to cybercriminals, such as customer financial information, credit card numbers, Social Security numbers, and the like. Other times, as is the case in ransomware attacks, hackers hold a company’s entire information infrastructure hostage until they receive the eponymous ransom. The increasing complexity and frequency of ransomware attacks drove the average ransom payment from less than $5,000 in 2018 to over $233,000 in 2020

Such security breaches can cost companies millions of dollars in business disruption and remediation costs. Cyberattacks and the release of confidential information can cause customers to lose faith in the ability of the company to maintain the confidentiality of their payment and personal data.

Additionally, a complex patchwork of state and federal laws establishes notification requirements in the event of a breach. Failure to follow those laws can expose businesses to fines and adverse regulatory actions that only add to the pain of a cyberattack.

For business owners, physicians and medical practices, and licensed professionals, a robust cybersecurity program is no longer optional. Failing to implement a comprehensive strategy to protect valuable intellectual property and proprietary information is essentially business negligence. Failing to act swiftly and aggressively once a breach has occurred can be business and professional suicide.

Medical Practices Increasingly Under Threat

The threat to medical practices and other entities in the healthcare industry is of particular concern because the subject of the attacks usually includes protected health information (PHI). Cybercriminals hold that information hostage under the threat of “doxing,” meaning to publicly release documents containing PHI.

Guidance from the Department of Health and Human Services Office for Civil Rights, the federal body charged with enforcement of HIPAA, states that ransomware encryption of PHI is a per se unauthorized disclosure of PHI triggering the Breach Notification Rule. That rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. The rule presumes a cybersecurity incident has resulted in unauthorized access to unsecured PHI, at which point the burden shifts to the practice or organization to show a low probability of the compromise of the PHI it maintains.

What You Can And Should Do Right Now To Protect Your Data and Your Business

The U.S. Small Business Administration has a wonderful website dedicated to helping business owners prevent and respond to ransomware and other cybersecurity threats. The site includes these ten key steps companies should take as part of a comprehensive strategy:

  1. Protect against viruses, spyware, and other malicious code
  2. Secure your networks
  3. Establish security practices and policies to protect sensitive information
  4. Educate employees about cyberthreats and hold them accountable
  5. Require employees to use strong passwords and to change them often
  6. Employ best practices on payment cards
  7. Make backup copies of essential business data and information
  8. Control physical access to computers and network components
  9. Create a mobile device action plan
  10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages

I recommend that all small business owners and medical practices spend some time at the SBAs cybersecurity website (https://www.sba.gov/managing-business/cybersecurity)  and take all steps necessary to shore up this crucial aspect of their operations. A hack of your network may not attract national headlines, but it could repel customers and patients and cost you your business or practice.

If you have questions about protecting your business or medical practice from cyber threats, please give me a call at 312-236-2433 or fill out my online form to arrange for your free initial consultation.

Political Hack is a Stark Reminder of the Importance of Cybersecurity to Small Businesses

The hate and hope, hysterics and history of the political conventions are over. These editions of our quadrennial pageants put a great many things in stark contrast, even more than they typically do. But while many things were familiar – booming speeches, delegates in outlandish outfits, and thousands of balloons falling from the rafters – there was something new this year. The hacking, likely by Russians, of Democratic National Committee computers in order to undermine the Democratic candidate is a stark reminder of how vulnerable all of us are to cyberthreats. While this hack had serious political and national security implications, the threat to small businesses is no less real and can be no less devastating.

Companies big and small find themselves repeatedly under attack by sophisticated hackers who seek to gain access to trade secrets and personal customer information to use for their own gain. Such security breaches can cost companies millions of dollars in business and remediation costs and cause customers to lose faith in the ability of the company to maintain the confidentiality of their payment and personal information.

For small business owners, a robust cybersecurity program is no longer optional. Failing to implement a comprehensive strategy to protect valuable intellectual property and proprietary information is essentially business negligence. Failing to act swiftly and aggressively once a breach has occurred can be business suicide. A complex patchwork of state and federal laws establish notification requirements in the event of a breach and failure to follow those laws can expose businesses to fines and adverse regulatory actions that only add to the pain.

The U.S. Small Business Administration has a wonderful website dedicated to helping business owners prevent and respond to cybersecurity threats. The site includes these ten key steps companies should take as part of a comprehensive strategy:

  1. Protect against viruses, spyware, and other malicious code
  2. Secure your networks
  3. Establish security practices and policies to protect sensitive information
  4. Educate employees about cyberthreats and hold them accountable
  5. Require employees to use strong passwords and to change them often
  6. Employ best practices on payment cards
  7. Backup copies of important business data and information
  8. Control physical access to computers and network components
  9. Create a mobile device action plan
  10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages

I recommend that all small business owners spend some time at the SBAs cybersecurity website (https://www.sba.gov/managing-business/cybersecurity)  and take all steps necessary to shore up this crucial aspect of their operations. A hack of your network may not attract national headlines, but it could repel customers and cost you your business.

The Law Offices of Louis R. Fine

As an experienced Chicago business lawyer, I know how important it is to get a deal done. I also understand how crucial it is to get a deal done right. That is why I take a balanced approach to business transactions, one that is meticulous and detailed, but that does not delay a closing or consummation of a deal. My role is to facilitate, not stand in the way. Please give me a call at 312-236-2433 or fill out my online form to arrange for your free initial consultation.