Skip to content

NIST Provides Tips for Preventing Ransomware Attacks

In early May, a cybercriminal organization named Darkside used ransomware to paralyze the Colonial Pipeline Co., prompting a shutdown of the 5,500 mile pipeline that carries 45% of the fuel used on the East Coast. This quickly led to a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. According to experts, cyberattacks, especially ransomware, are on the rise, and common targets are healthcare providers.

Ransomware is a type of malicious software, or malware, used in a cyberattack[1] that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. In a typical attack, an employee unknowingly clicks on an email attachment or visits a website where malicious code is lurking in the background. With one keystroke, software is installed that locks you out of your own files.

To help organizations protect against ransomware attacks and recover from them if they happen, the National Institute of Standards and Technology (NIST) has published an infographic offering a series of simple prevention tips and tactics. NIST’s advice includes:

  • Use antivirus software at all times — and make sure it’s set up to automatically scan your emails and removable media (e.g., flash drives) for ransomware and other malware.
  • Keep all computers fully patched with security updates.
  • Use security products or services that block access to known ransomware sites on the internet.
  • Configure operating systems or use third-party software to allow only authorized applications to run on computers, thus preventing ransomware from working.
  • Restrict or prohibit use of personally owned devices on your organization’s networks and for telework or remote access unless you’re taking extra steps to assure security.
  • NIST also advises users to follow these tips for their work computers:
  • Use standard user accounts instead of accounts with administrative privileges whenever possible.
  • Avoid using personal applications and websites, such as email, chat and social media, on work computers.
  • Avoid opening files, clicking on links, etc. from unknown sources without first checking them for suspicious content. For example, you can run an antivirus scan on a file, and inspect links carefully.

Under HIPAA’s Security Rule, covered entities, including healthcare providers, are required to adopt adequate means for safeguarding the confidentiality, integrity, and availability of protected health information (PHI). This includes conducting a security risk assessment regularly to assess security vulnerabilities and the mechanisms currently in place to mitigate them, and then to determine what additional controls, if any, should be implemented to prevent threats to PHI, including ransomware and other cyberattacks.

For our OSHA Review Subscribers… A checklist to help dental offices conduct a HIPAA security risk assessment is available from OSHA Review’s website, in the clients-only section under OSHA Review/Professional Documents.

Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.


[1] A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, networks, data servers, or personal computer devices, including cell phones. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft. Examples include malicious programs such as malware, phishing, spyware, viruses, and ransomware.



Back To Top