Regulation of Medicine


Notice of Significant Increase in Ransomware Attacks

By: Raj Shah, Senior Regulatory Attorney, Policyholder Advisor and Matthew Baker, Director of Information Security

MagMutual PolicyOwners continue to be the target of ransomware attacks and so far in 2020, there has been a significant increase in these incidents. As ransomware attacks become more frequent, it is important to take the necessary steps to prevent an attack on your computer system and know what to do in case one happens.

Ransomware is a virus that is designed to block access to your computer system until ransom money is paid. This can severely disrupt your practice’s operations, including blocking access to your medical records and/or billing system.

MagMutual saw an average ransom demand around $21,000 in 2019. However, the demand payment is only part of the financial impact a ransomware attack could have on your practice. You might also experience system downtime, damage to your practice’s reputation, and the cost of lost or stolen records. According to Becker’s Hospital Review, in 2019, the average downtime from a ransomware attack was 12 days. Computer security company McAfee estimates that the additional time it takes to perform tasks manually while your system is down can cost on average $488 per hour per physician, and each lost or stolen medical record costs on average $363 per record.    

Based on MagMutual’s experience with ransomware attacks, we’ve compiled some steps that you can take to mitigate your risk and protect your practice:

  1. Invest in industry-standard cybersecurity software for all of your systems.
  2. Keep complete, current data backups and know how to retrieve them.
  3. Protect and store data backups separately from the primary system.

Specifically, MagMutual recommends confirming with your information technology director or vendor that they can provide answers to the following questions every six months.

  • Are my data backups complete and current? How can I retrieve them if need be? Are they stored separately from the primary system and are they protected with encryption, unique passwords, and/or multi-factor authentication?
  • Have all available security patches been applied to all of our operating systems? What about network equipment (routers/modems), databases and applications including web browsers, Java, and Adobe Flash (if applicable)?
  • Are you using any remote access to come into my environment for support? If yes, is it being done securely by avoiding risky methods like exposing remote desktop protocol (RDP) to the entire internet? Can it be set up where it is only open during a support event and the access is controlled by the practice?

If you experience a ransomware attack, the first thing that you should do is contact your information technology director or vendor. That individual or company should already have an incident response plan in place, which includes immediately contacting your cyber insurance provider and isolating the infected device by removing it from your network immediately. You should not seek to pay any ransom before discussing it with your cyber insurer and their forensic information technology experts.

If your practice currently does not have cyber insurance, MagMutual offers an industry-leading policy that provides comprehensive coverage for ransomware attacks, including the costs associated with a forensic investigation, payment of the ransom demand, and support with recovering lost files. Contact your agent for more information.

To obtain more information on cybersecurity risks and best practices, please log in to your account on and click “Cyber Center” under Portals on the ‘My Account’ page.



Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.