Since 2016, there has been a major surge in ransomware targeted directly at healthcare organizations, as we saw with the international “WannaCry” ransomware attack that struck 150 countries and crippled thousands of healthcare organizations, including in the U.S. in May, 2017. Ransomware remains the number one security concern in 2018 among security professionals.
Ransomware is a type of malware infection, or malicious software, that attempts to deny access to your own data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. Ransomware may also result in your data being exfiltrated out of your system to the hacker’s system. Because both scenarios result in denial of access to your data, if any of the data is HIPAA PHI, you may have a HIPAA data breach on your hands.
According to the HIPAA DHHS Office of Civil Rights, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”
After your data is encrypted, a ransom screen on your device will direct you to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key so that you can retrieve your data. However, there is NO guarantee that paying the hacker will result in you getting a key to decrypt and recover your data.
Steps to Prevent Ransomware:
There are measures, when taken together, that are known to be effective to prevent the introduction of most ransomware and to recover from a ransomware attack in the healthcare sector.
Train Staff to Recognize Phishing Emails!
Criminals know the easiest way to sneak ransomware past your organization’s security is by infection spread by a click on a link or attachment in a phishing email. A phishing email is sent to one or more of your users disguised as a legitimate message meant to trick users into clicking on a link or attachment. 97% of phishing emails delivery ransomware. Teach your users to spot and react to suspicious emails.
Secure Remote Access!
Do not expose any internal system to the outside world using Microsoft’s Remote Desktop connection technology (also known as RDP). If remote access is required, use a method that allows for two-factor authentication such as LogMeIn, GoToMyPC, a VPN, or other similar products. Hackers scan publicly for exposed RDP systems and employ tactics to gain access to the machine, bypass your antivirus, and infect the system with ransomware.
Back Up Your Data Offsite!
In the event that a hacker successfully hijacks your computer, you can rescue yourself with a backup of your data stored somewhere, like on a physical hard drive kept offsite or in the cloud. That way, if a hacker locked down your computer, you could simply erase all the data from the machine and restore it from the backup.
Stay on top of your security updates on your machines. Implement a patch management strategy that ideally involves automated patching. For instances, configure your Windows machines to automatically install the latest software updates.
Install antivirus software from reputable vendors, which can prevent malware from infecting your computer. Make sure to keep that software up to date as well.
HIPAA Requirements for Malware:
The HIPAA Privacy, Security and Breach Rules requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:
- implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
- implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections;
- implementing access controls to limit access to ePHI to only those persons or software programs requiring access;
- having procedures in place for responding to and reporting security incidents, including ransomware attacks;
- training workforce to prevent, detect and report malicious software;
If you are a victim:
- Unplug the infected machine from power, the network and the internet.
- DO NOT PAY THE RANSOM!
- Contact your local police and the nearest FBI cyber-crime office.
- Contact a technology professional to help you restore the data from back-ups or to help with other options.