The Federal Bureau of Investigation is warning all businesses about the risks of “ransomware.” Ransomware is malware – a malicious program embedded inside of a message or web page. The message may come in the form of an innocuous message directed towards a specific person in the organization, such as a controller, accountant, or risk manager. The message typically includes an attachment, like document (.pdf), text file (.txt), or spreadsheet (.xls) that appears legitimate, such as a bill or a letter. Alternatively, the message may direct the user to a website that appears valid. When the user opens the attachment or goes to the website, the malicious program encrypts – that is, hides – files and folders containing the user’s information and data. The person or organization who sent the message then contacts the user and demands a ransom – money for the return of the information and data.
There has been an increase in the number of ransomware attacks. The FBI does not advocate paying a ransom for the return of data. The FBI has set up a Cyber Task Force to assist in the event of a ransomware attack (www.fbi.gov/contact-us/field). The FBI recommends employee training, keeping all operating systems, software, and antivirus/malware protection systems up to date, and maintaining robust file access privileges across an organization.
If a health care provider, covered entity, or business associate is hit with a ransomware attack, there may be additional reporting requirements under HIPAA, depending on the circumstances. Remember, many insurance policies provide data breach services that include assistance with reporting and remediation.