According to an FBI report, during the first three months of 2016 cybercriminals extorted $209 million from organizations. While this statistic includes all organizations and not just healthcare, ransomware poses a greater threat to hospitals and medical practices because it can also cause a breach of protected patient data. If your practice is the victim of a ransomware attack, there are several initial steps that should be taken:

Limit & Stop: The first step by your response team should be to identify the workstation or infected hardware and isolate it from the network. This should stop by additional files from being encrypted. Your IT team should also look for suspicious behavior on servers.

Determine Variant: Cybercriminals are releasing new versions of ransomware on a regular basis. These new versions can better thwart healthcare organization’s anti-virus and anti-malware tools. Once your IT team identifies the type of ransomware being used, they can better understand the damage it may have caused.

Recovery: At this point, your medical practice is aware of the attack, stopped it as best possible, and now it’s time for recovery. This can mean one of two things – either paying the ransom in order to receive the encryption key or to initiate your practice’s data recovery process to restore all files that have been encrypted. It is important to note that paying the ransom does not guarantee the delivery of an encryption key.

Evaluation: According to HIPAA breach rules, healthcare organizations must report when patient information is stolen. Different variations of ransomware impact data in different ways so your practice must evaluate what type of infection it had and whether a data breach did occur.

Communication: Communicating internally about the recovery process and timeline is very important. Staff should be aware of when data will be restored and the IT team should communicate what occurred that enabled the attack. This makes for a great learning and training opportunity to hopefully prevent future ransomware attacks.