Hopefully, you’ve never seen this screen before pop up on your server or one of its attached workstations. Unfortunately, many dentists have had their data held hostage by Trojan viruses like the Cryptovirus that became a real problem on Sept. 5, 2013. While the actual Cryptolocker virus was isolated in late 2014 and the criminals involved were subsequently caught and prosecuted, many variations of this type of ransomware – some that even use the Cryptolocker name or variations of it – continue to plague networks around the globe.
Ransomware, like Cryptovirus, is a Trojan virus that rides on Internet communication vehicles, like email, and then embeds itself in the data of the hard drive – and any subsequent copies of that hard drive. It insidiously encrypts the data on the system and then locks it. A screen pops up demanding money – most commonly $300 – from an online entity that must be paid with a credit card in order to unlock the data. This has been coined cryptoextortion.
Unfortunately for a dental practice, this means that the integrity of our vital ePHI is then compromised unless we “pay the Piper.” However, once we pay the ransom, the criminals now also have our credit card information; that only leads down a long road to darkness. It also is likely that we will be victims of repeated extortion attempts, and the virus continues to replicate on whatever back-up systems we are using. It’s a vicious cycle! Believe it or not, it was estimated that between 2013 and 2014 Cryptolocker extorted more than $3 million from its victims. That number continues to grow as Cryptolocker clones continue to develop around the world.
The good news appears to be that ransomware does not actually steal data from its victims but rather encrypts it on-site. However, some ransomware can track keystrokes. So, ransomware could potentially create significant HIPAA breaches even if the data set itself is not actually stolen. It appears that ransomware can only communicate with its developers if given direct access, which can occur when they are given access to unlock the data encryption.
The other concerning news is that conventional back-up systems can only provide recovery of data if the data back-up was done prior to infection and if the data back-up is dependable. As was discussed previously in “Dental Records Tips: Facts About Fail-Safes,” this can be hit or miss.
Recovering from a ransomware attack is extremely costly, if it can be done adequately, and usually takes many days of computer downtime. The back-ups need to be entirely mounted, and then each data set has to be carefully manually reviewed, searching for the executable components of the virus in each data block. The system then has to be completely rebuilt from the operating system up, including reinstalling the operating system and all software. The network mapping of workstations, printers, scanners, etc., then must be recreated. Meanwhile, no additional data can be stored on the system. It’s back to pencil, paper and ledger sheets to keep the practice in business!
Assuming all of the backed-up data can be recreated, the recovery takes several days or even weeks with substantial crippling of business operation and thousands of dollars in IT support. Then, the fun begins when all of the paper and pencil data needs to be reentered into the computer system. Of course, the staff loves doing this in their spare time and in the evenings …
As with any restore from a back-up where there is a lag in information entered, you may also encounter events like ghost patients and patients appearing for unscheduled appointments even when they have a card from your office with their appointment on it. This can occur for several months due to scrambled or corrupt data entries.
Here’s the take home message: Infections from ransomware costs a lot of money and a great deal of stress – IT expenses, business interruptions, wasted staff overhead, lost critical information, etc.