HIPAA Compliance Can Help Covered Entities Stop, Address and Get Back Online ecover from Ransomware Attacks

Ransomware attacks are often conducted indiscriminately, with the file-encrypting software commonly distributed in mass spam email campaigns. However, since 2017, ransomware attacks have become far more targeted. It is now common for cybercriminals to select targets to attack where there is a higher than average probability of a ransom being paid.

Healthcare providers are a prime target for cybercriminals. They have large quantities of sensitive data, low tolerance for system downtime, and high data availability requirements. They also have the resources to pay ransom demands and many are covered by cybersecurity insurance policies. Insurance companies often choose to pay the ransom as it is usually far lower than the cost of downtime while systems are rebuilt, and data is restored from backups.

With attacks increasing in frequency and severity, healthcare organizations need to ensure that their networks are well defended and they have policies and procedures in place to ensure a quick response in the event of an attack.

Ransomware attacks are increasing in sophistication and new tactics and techniques are constantly being developed by cybercriminals to infiltrate networks and deploy ransomware, but the majority of attacks still use tried and tested methods to deliver the ransomware payload. The most common methods of gaining access to healthcare networks is still phishing and the exploitation of vulnerabilities, such as flaws that have not been patched in applications and operating systems. By finding and correcting vulnerabilities and improving defenses against phishing, healthcare providers will be able to block all but the most sophisticated and determined attackers and keep their networks secure and operational.

In its Fall 2019 Cybersecurity Newsletter, the Department of Health and Human Services explains that it is possible to prevent most ransomware attacks through the proper implementation of HIPAA Security Rule provisions. Through HIPAA compliance, healthcare organizations will also be able to ensure that in the event of a ransomware attack they will be able to recover in the shortest possible time frame.

There are several provisions of the HIPAA Security Rule that are relevant to protecting, mitigating and recovering from ransomware attacks, six of the most important being:

Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))

A risk analysis is one of the most important provisions of the HIPAA Security Rule. It allows healthcare organizations to identify threats to the confidentiality, integrity, and availability of ePHI, which allows those threats to be mitigated. Ransomware is commonly introduced through the exploitation of technical vulnerabilities., such as unsecured, open ports, outdated software, and poor access management/provisioning. It is essential that all possible attack vectors and vulnerabilities are identified.

Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))

All risks identified during the risk analysis must be managed and reduced to a low and acceptable level. That will make it much harder for attackers to succeed. Risk management includes the deployment of anti-malware software, intrusion detection systems, spam filters, web filters, and robust backup systems.

Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D))

If an organization’s defenses are breached and hackers gain access to devices and information systems, intrusions need to be quickly detected. By conducting information system activity reviews, healthcare organizations can detect anomalous activity and take steps to contain attacks in progress. Ransomware is not always deployed as soon as network access is gained. It may be days, weeks, or even months after a network is compromised before ransomware is deployed, so a system activity review may detect a compromise before the attackers are able to deploy ransomware. Security Information and Event Management (SIEM) solutions can be useful for conducting activity reviews and automating the analysis of activity logs.

Security Awareness and Training (45 C.F.R. §164.308(a)(5))

Phishing attacks are often effective as they target employees, who are one of the weakest links in the security chain. Through regular security awareness training, employees will learn how to identify phishing emails and malspam and respond appropriately by reporting the threats to the security team.

Security Incident Procedures (45 C.F.R. §164.308(a)(6))

In the event of an attack, a fast response can greatly limit the damage caused by ransomware. Written policies and procedures are required and these must be disseminated to all appropriate workforce members so they know exactly how to respond in the event of an attack. Security procedures should also be tested to ensure they will be effective in the event of a security breach.

Contingency Plan (45 C.F.R. §164.308(a)(7))

A contingency plan must be developed to ensure that in the event of a ransomware attack, critical services can continue and ePHI can be recovered. That means that backups must be made of all ePHI. Covered entities must also test those backups to ensure that data can be recovered. Backups systems have been targeted by ransomware threat actors to make it harder for covered entities to recover without paying the ransom, so at least one copy of a backup should be stored securely on a non-networked device or isolated system.