Ransomware Mental HealthAnother ransomware attack has been making headlines this week–this time, the attack targeted a mental health care provider.

The Minnesota-based Associates in Psychiatry and Psychology announced that it was targeted by a strain of ransomware on March 31 of 2018.

Ransomware healthcare attacks are a growing threat to health care providers because of the significant value that health care data sells for on the darkweb. The way a ransomware healthcare attack works is through a concentrated malware attack. The ransomware infects a given computer or network and encrypts the data stored within these systems. The hackers then contact the owners of the data and provide an ultimatum: pay a ransom fee by a certain date, or access to the data will be permanently barred.

Waves of ransomware healthcare attacks over the past few years have gotten so bad, that the FBI has even released guidance on how to properly deal with an attack when your practice is affected.

Even though data is sometimes able to be retrieved by restoring from an off-site back up, Associates in Psychiatry and Psychology were not so lucky–Information Security Media Group reports that a spokeswoman from the organization confirmed that in the end, the ransom was paid to the hackers.

Growing Ransomware Healthcare Threats

Because healthcare data is so valuable to hackers, the threat that behavioral health professionals face is at an all-time high. And to make matters worse, the headache may not end once the ransom has been paid.

Health care data is considered protected health information (PHI) under HIPAA regulation. HIPAA defines PHI as any of 18 identifiers that can be used to identify a patient. Common examples include names, dates of birth, Social Security numbers, health care records, or addresses. In the event that PHI is breached, the practice that has been targeted must report the incident to the Department of Health and Human Services (HHS). From there, the Office of Civil Rights (OCR) may choose to launch an investigation into the breach. If a HIPAA violation is uncovered over the course of OCR’s investigation, that could mean civil monetary penalties, HIPAA fines, and even jail time for the practitioners responsible.

The best way to protect against a ransomware healthcare attack is through off-site back-up for all data, full-disc encryption, and HIPAA compliance. By implementing a HIPAA compliance program with HIPAA self-assessments in tandem with these security measures, behavioral health professionals can ensure that patient data is kept safe, and mitigate the impact of HIPAA violations should they occur.