In the HHS Office for Civil Rights' January newsletter, the agency highlighted 10 steps hospitals should take to decrease their likelihood of becoming a "cyber extortion" victim.
"Cyber extortion can take many forms, but it typically involves cybercriminals' demanding money to stop (or in some cases, to merely delay) their malicious activities, which often include stealing sensitive data or disrupting computer services," the newsletter reads, noting ransomware as a particularly prominent example of the threat.
Here are the 10 steps the OCR advises hospitals take to avoid cyber extortion.
1. Implement a robust risk analysis and risk management program to identify cyber-risks throughout the entire organization
2. Implement robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis
3. Train employees to identify suspicious emails and other messaging technologies that could introduce malicious software into the organization
4. Deploy proactive anti-malware solutions to identify and prevent malicious software intrusions
5. Patch systems to fix known vulnerabilities that could be exploited by attackers or malicious software
6. Harden internal network defenses and limit internal network access to deny or slow the movement of an attacker and malicious software
7. Test robust contingency and disaster recovery plans to ensure the organization is able to recover from a cyberattack
8. Encrypt and back up sensitive data
9. Review audit logs regularly for suspicious activity
10. Remain vigilant of emerging cyberthreats by receiving alerts from the U.S. Computer Emergency Readiness Team and participating in information sharing organizations
To access the OCR's newsletter, click here.