You type in your login information, but nothing happens. Your computer is plugged in and you’re sure your password is correct, but you cannot seem to find your appointments, accounting information, customer data, or worse, patient medical records. Your email is working, though. And there it is: A demand for payment if you want access to your data or computer system.
You’ve heard of the big cyberattacks, like the ransomware against Colonial Pipeline that caused gasoline shortages on the East Coast in May 2021. You may not have heard of the public library in Kokomo, Indiana that was shut down by ransomware, an incident that was resolved with a $36,000 Bitcoin payment.
Cyberattacks on victims big and small are becoming a very expensive cost of doing business. The attacks continue because the bad actors are very difficult to catch and stop – and because few companies truly have the backup systems necessary to pivot away from compromised systems.
I recently helped a medical practice survive a ransomware attack on the subcontractor of the practice’s enterprise management provider. The client agreed that I could share the experience and what we learned.
The cost of a cyberattack extends far beyond any ransom. It has taken months to add up damages from the April 2021 attack. It took eight days for the vendor to even acknowledge that its subcontractor had suffered a ransomware attack and had paid the ransom. It took another 10 days for most of the vendor’s customers to get back online, and vital third-party connectivity remained a problem for many months.
You may not be able to stop a cyberattack, but you can be prepared.
Here are some of the most important things to do if you’re attacked – and some ways to prevent this crisis.
Call Tech Support Immediately
When you notice a problem, call your information technology expert immediately. There might be a benign explanation, but in the case of an attack, IT can figure out what systems aren’t working, what data are locked up, and how to remove internet access.
Do NOT shut down your machines until they can be examined by a forensic expert!
Call Your Lawyer
There may be a host of legal issues to consider in the wake of a cyberattack like ransomware. Any medical-related enterprise may be obligated to report the incident to the U.S. Department of Health and Human Services, and it’s likely you’ll need to contact patients whose private information was compromised. Non-medical businesses may still need to report what happened to the Federal Trade Commission – and to customers whose private data were at risk.
Under either circumstance, laws may require you to make the attack public, either on your website or in a press release, to make sure those affected know about it.
Note also that different states have different laws that can require quicker and more public disclosure of data breaches. This is of particular importance if your business operates in multiple states.
Will I Get Sued? Can I Sue Someone?
Patients or customers claiming they were hurt by this attack may seek damages from you, but they’d have a hard time proving you were negligent if you took every reasonable step to prevent the attack or the damage that could occur from it.
The most vulnerable party for litigation may be the initial victim. In the case of my medical practice client, this was the subcontractor of the billing service vendor. But technology vendors hire lawyers too, and the smart ones draft contracts that limit what they’ll pay for in a cyberattack to a month or two of fees. They may also require that any dispute be decided in arbitration. (In my experience, only huge customers would be able to negotiate a change in that type of clause.)
Understand The Limits of Cyber Insurance
My client had an insurance policy that covered cyberattacks. It wasn’t expensive – around $1,500 a year – but its coverage stopped at $25,000, less than my client’s losses. More coverage will cost more money, so businesses have to individually determine what plan makes financial sense.
Cyber insurance does cover fees for lawyers who are experts in cyberattacks, as long as you use the insurers’ preferred firms. Communications experts can also often be hired to help with public relations and consumer communications.
Note that insurers are reportedly growing weary of paying ransoms, and they will help their customers prepare for – or better yet, prevent – future attacks by conducting security audits.
Prepare For, Limit, and Prevent Cyberattacks
- Train your employees not to open suspicious emails or click on unknown links. Sophisticated defense systems are useless if humans let the criminals in the front door.
- Back up data daily and store it offsite.
- Explore business insurance coverage for cyberattacks. If you already have it, make sure you are properly covered.
- Contact a cybersecurity/IT specialist for an audit of your systems and advice on preventing attacks.
You may not be able to stop a cyberattack, but you can be prepared.