Unless your practice’s software protection or other security measures detect and halt the transmission of ransomware, unfortunately your practice or a business associate may not know it’s been infected with ransomware until after the ransomware has encrypted data and is demanding ransom. With proper HIPAA security training, it is possible for your practice to detect and respond to ransomware attacks earlier which may less the impact. Some indicators of ransomware attacks include:

The user’s realization that a link they clicked on, a file attachment they opened, or a website they visited may have been malicious.
An increase in the CPU of a computer and disk activity for no apparent reasons.
The inability to access certain files.
The detection of suspicious network communications between the ransomware and the attackers’ command and control server.
The increase in CPU could be an indication that the ransomware is searching for, encrypting, and removing data files. The inability to access files could be the result of ransomware encrypting, deleting, and renaming and relocating the data. The detection of suspicious network communications would most likely be discovered by IT personnel versus intrusion detection solutions.

No matter the indicators present, if your practice believes it is under a ransomware attack, steps should be taken immediately to activate the security response plan which should include measures to isolate the infected computer in order to halt the ransomware attack. Additionally, your practice should contact its local FBI or Secret Service field office as these agencies work with law enforcement partners from a local to Federal level in order to pursue cyber criminals as well as assist victims of cybercrime.