The recent ransomware attack against the Melbourne Heart Group in Melbourne should act as a timely warning to all medical clinics to ensure they are ‘cyber attack’ proof.

It’s reported that about 15,000 medical records were “scrambled” by encryption by cyber criminals, but the clinic stressed that no patient records were extracted or left their system, just that they were rendered unreadable. Despite this, the fact practice software can compromised and access denied to patient records shows what a critical issue this can be for health care providers.

So how does a busy medical practice protect itself against increasingly sophisticated ransomware hackers? With medical specialists’ becoming the most common targets for ransomware attacks, below are some key considerations for your own practice:

1. Who is at risk and how much?

Ultimately any health practitioner or medical practice staff member can be a target, regardless of operating system, security or software used. A normal day can see multiple different staff using multiple different systems and software from a range of external suppliers and providers. It can be as simple as a member of staff clicking a cleverly-disguised scam email to let the attackers in.

Although traditionally server-based systems were used, cloud software is becoming more prominent and arguably more secure given most are hosted by the likes of Amazon (AWS) and Microsoft (Azure). However

2. Basic tips for security

• Have multiple back-up systems in place for important data.
• Always use two-factor authentication for sign-in to accounts.
• Be vigilant for suspicious-looking emails, do not click on, open or forward on.
• Always use proven antivirus software and install a firewall.
• Regularly ensure your staff are trained on security and privacy.
• Have a data-breach response plan for all staff to refer to should an attack occur.
• Secure a local and trusted IT provider that can be on-hand in times of crisis.

3. What are my legal obligations?

Any attack, suspected or confirmed, on medical data must be reported to The Office of the Australian Information Commissioner (OAIC); provided your private business meets the OAIC requirements. Patients are generally legally entitled to be informed but it depends where the attack occurred. For example public hospitals are exempt being under State control, not the Commonwealth, creating a confusing minefield of responsibilities.

4. Paying a ransom?

In the US it’s reported that the average ‘ransomware’ demand is for about US$6000. Medical indemnity groups such as Avant Mutual advise you should NOT pay a ransom fee to recover or release data that has been stolen. Although tempting, the files may not even be returned after payment, and by paying any fee you inadvertently indicate you may pay again. The first reaction should be to refer to your business continuity plan, especially the cyber incident response, as ransomware could suggest a data breach that needs to be reported and managed as a priority.