To conclude our “Danger from the Internet” series, we look at how you should react when the child has already fallen into the well. In other words: What should a practice owner do if a hacker has been successful and has paralyzed the IT? Who should be informed, where can you get help and how should you deal with ransom demands?
It has happened: The abstract idea of being attacked by hackers has become real. When booting up the computer in the morning, access was no longer possible; instead, a message appeared stating that you could only regain control of your own data if you paid a six-figure sum. A ransomware attack had infiltrated and encrypted the practice’s IT. After the initial shock, it is important to react calmly and take some measures.
First of all, it is advisable to interrupt Internet connections (including email and VPN connections) and to disconnect existing backups – if these are directly connected to the attacked system – as quickly as possible. The attack should then be reported. The contact for this is the cantonal police. The responsible police station can be found via a portal. In the next step, the practice’s IT service provider can begin to analyze the damage, set up the affected systems again and restore data using the backups – after ensuring that they are intact and have not also been infiltrated. This is a task for specialists, which is why it is not advisable to initiate these steps yourself in a false sense of eagerness and the idea of wanting to return to normal operations as quickly as possible.
Anyone who decides to file a criminal complaint – which is recommended in any case – should refrain from rash action anyway, as a forensic investigation is hardly possible once the systems have been reinstalled.
There is currently no obligation in Switzerland to report cyber incidents to the Federal Office for Cybersecurity (BACS) as the Confederation’s competence center for cybersecurity (box). However, this will change in the first half of 2025 for critical infrastructures, including the healthcare sector, explains Pascal Lamia, Head of Operational Cybersecurity at the BACS. They will then be obliged to report cyber incidents. However, they will also receive support from the Federal Office if required.
| Federal Office for Cyber Security At the beginning of 2024, the National Center for Cyber Security became a federal office (Federal Office for Cyber Security, BACS). The BACS is the first point of contact for the economy, administration, educational institutions and the population for cyber issues. It is responsible for the coordinated implementation of the National Cyber Strategy (NCS). The main task of the BACS is to make Switzerland more secure in cyberspace. The Federal Office receives reports of cyber incidents and supports operators of critical infrastructures in particular in dealing with them. |
Ransom payments are not recommended
The BACS generally advises against complying with and paying ransom demands in order to prevent companies from co-financing the cybercriminals’ infrastructure and encouraging them to carry out further attacks, particularly on Swiss companies. Furthermore, there is no guarantee for the blackmailed victim that the data will not be published after the ransom has been paid.
Instead, the BACS recommends not contacting the perpetrators but discussing and coordinating further steps with the police. The recommendation to cooperate with the cantonal police also applies, especially if you decide to pay the ransom after all.
Another aspect is often misjudged: a collapsed daily practice routine due to non-functioning IT understandably leads to the urge to choose the supposedly quickest solution in order to return to normal processes. However, paying a ransom is only a quick solution at first glance: As a rule, the sum is demanded in the form of a cryptocurrency, for which hardly any doctors are likely to have an account. Setting this up at the bank already takes time. It is also wrong to assume that all systems are automatically up and running again once payment has been made by mouse click. Instead, the blackmailers – ideally – simply provide decryption software that you have to install and run yourself. This also takes time.
Either way, there is a risk of sensitive patient data being published by the blackmailers. You should be prepared for the worst-case scenario. Proactive communication is advisable, i.e. it is better to tell patients yourself what has happened than to let third parties find out. If blackmailers actually publish sensitive patient data, data security breaches (also known colloquially as “data breaches” or “data leaks”) must be reported to the Federal Data Protection Commissioner (FDPIC). A reporting form is available on the FDPIC’s website.
Whether you decide to pay a ransom or not, a cyberattack is always an exceptional situation for the affected practice and its employees. However, the risk can be reduced by taking preventive measures, and special cyber insurance policies can be taken out to protect against (financial) damage. And if you think about what-if situations in advance and know the right contacts, you can keep a cool head if the worst comes to the worst.
| medizinonline series “Danger from the Internet“ The series “Danger from the Internet” presents in 3 parts the threats and possible consequences of as well as preventive measures against cyber attacks. In the first part the various forms and ways in which criminals can infiltrate a practice’s IT, as well as ways to protect against attacks. In the second part an insurance expert explained why it makes sense to take out special cyber insurance in addition to the usual public liability insurance and explained which aspects are particularly important. |
HAUSARZT PRAXIS 2024; 19(12): 48 (published on 12.12.24, ahead of print)
InFo ONCOLOGY & HEMATOLOGY 2025; 13(1): 39
