Small Businesses, Medical Practices, and Licensed Professionals That Don’t Prepare For Ransomeware Attacks Are Playing With Fire

Your small business doesn’t provide most of the fuel for the Eastern Seaboard or process and distribute a huge proportion of America’s meat supply. But that doesn’t mean you shouldn’t be worried about ransomware attacks or other cybersecurity threats. The recent attacks on the Colonial Pipeline and meat processor JBS are just two high-profile examples of what has become a significant threat to companies, medical practices, and licensed professionals across a wide range of businesses and professions. 

A Ransomware or Other Cyberattack Can Be a Deathblow To Your Business

Every minute of every day, sophisticated hackers attempt to gain access to trade secrets, personal customer or patient information, and all other data that makes a company run.  Sometimes, the data itself has value to cybercriminals, such as customer financial information, credit card numbers, Social Security numbers, and the like. Other times, as is the case in ransomware attacks, hackers hold a company’s entire information infrastructure hostage until they receive the eponymous ransom. The increasing complexity and frequency of ransomware attacks drove the average ransom payment from less than $5,000 in 2018 to over $233,000 in 2020

Such security breaches can cost companies millions of dollars in business disruption and remediation costs. Cyberattacks and the release of confidential information can cause customers to lose faith in the ability of the company to maintain the confidentiality of their payment and personal data.

Additionally, a complex patchwork of state and federal laws establishes notification requirements in the event of a breach. Failure to follow those laws can expose businesses to fines and adverse regulatory actions that only add to the pain of a cyberattack.

For business owners, physicians and medical practices, and licensed professionals, a robust cybersecurity program is no longer optional. Failing to implement a comprehensive strategy to protect valuable intellectual property and proprietary information is essentially business negligence. Failing to act swiftly and aggressively once a breach has occurred can be business and professional suicide.

Medical Practices Increasingly Under Threat

The threat to medical practices and other entities in the healthcare industry is of particular concern because the subject of the attacks usually includes protected health information (PHI). Cybercriminals hold that information hostage under the threat of “doxing,” meaning to publicly release documents containing PHI.

Guidance from the Department of Health and Human Services Office for Civil Rights, the federal body charged with enforcement of HIPAA, states that ransomware encryption of PHI is a per se unauthorized disclosure of PHI triggering the Breach Notification Rule. That rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. The rule presumes a cybersecurity incident has resulted in unauthorized access to unsecured PHI, at which point the burden shifts to the practice or organization to show a low probability of the compromise of the PHI it maintains.

What You Can And Should Do Right Now To Protect Your Data and Your Business

The U.S. Small Business Administration has a wonderful website dedicated to helping business owners prevent and respond to ransomware and other cybersecurity threats. The site includes these ten key steps companies should take as part of a comprehensive strategy:

  1. Protect against viruses, spyware, and other malicious code
  2. Secure your networks
  3. Establish security practices and policies to protect sensitive information
  4. Educate employees about cyberthreats and hold them accountable
  5. Require employees to use strong passwords and to change them often
  6. Employ best practices on payment cards
  7. Make backup copies of essential business data and information
  8. Control physical access to computers and network components
  9. Create a mobile device action plan
  10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages

I recommend that all small business owners and medical practices spend some time at the SBAs cybersecurity website (https://www.sba.gov/managing-business/cybersecurity)  and take all steps necessary to shore up this crucial aspect of their operations. A hack of your network may not attract national headlines, but it could repel customers and patients and cost you your business or practice.

If you have questions about protecting your business or medical practice from cyber threats, please give me a call at 312-236-2433 or fill out my online form to arrange for your free initial consultation.