Ransomware, and compliance

This week, a particularly hard job came up. I’m not talking hard just because I had to really think hard and dig deep to think of solutions (though this is true), but also because of the conditions the client was in when I arrived, and how they got there.

When you are within certain Health & Wellness professions, you typically have some requirements revolving around HIPAA compliance. For financial service professions, FINRA is similarly strict.

If you are a client, I will likely be reaching out to you soon to discuss what compliance you may need to be observing as part of your business. And the reason why is the lesson learned from this week’s client: A ransomware attack took down a server and encrypted all its data, which included sensitive patient information. Now, for reasons of privacy I will of course not name the company, nor even its profession. There are a few things that I will describe about this situation that either caused the problem or magnified it:

  1. An employee was using the server as a workstation – this is a violation of HIPAA compliance
  2. Outlook was therefore installed and in use on a server – for those unaware of this, HIPAA forbids running email on the same system as sensitive data (The ransomware attack originated from a ZIP atttachment in Outlook that the employee opened)
  3. Their cloud backup system was configured to auto-fill the login email address and password in the browser, making it easy to delete all cloud backups

There are several other factors that occurred with this attack, but the above is a succinct subset of factors that, had compliance been properly observed, would never have allowed this particular attack to occur. The ZIP file may still have been opened, but it would have affected, at best, just that machine, and even at worst, it would have still corrupted the server but left backups intact for easier restoration.

There are other concerns now facing this client around possible exposure of patient data, none of them good. A little effort towards compliance can go a long way, as you can see from this story.

And so, be on the lookout for my email if you are an existing client. If not, perhaps think about reaching out to discuss how you could be at risk. And above all, don’t open ZIP files in your email.


Blog Replies
GDPR CCPA Agreement *