New HIPAA Guidance Requires Ransomware Attacks to Be Reported

Healthcare

New HIPAA Guidance Requires Ransomware Attacks to Be Reported

Receive-EmailAbout our Healthcare Services

Ransomware, a dangerous form of malware that typically encrypts the victim’s files and will not relinquish control until a ransom if paid to the attacker, is a growing concern in the Healthcare Industry.

The volume of incidents and the costs of damages are soaring, especially due to some recent high-profile cases that gained extensive media exposure. This exposure has caused attackers to further target Healthcare organizations as they see the industry’s susceptibility and their willingness to make big payouts to regain control of their files. To help combat this rise and to clarify the rules and procedures that Healthcare organizations should take to prevent and respond to ransomware infections, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights has released a fact sheet1 providing guidance on ransomware as it relates to the Health Insurance Portability and Accountability Act (HIPAA).

Most notable in the HHS’s guidance is the clarification of whether a ransomware attack is considered a HIPAA breach and thus requires notification of the incident to them. The HHA’s answer on this is clear. When electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, a breach has indeed occurred. In being encrypted by the ransomware, the attackers have taken possession and control of the information, which constitutes “disclosure” in violation of the HIPAA Privacy Rule. While the intent of a ransomware attack is not necessarily to steal the data but instead to hold it for ransom, by taking possession of it, they are still creating a breach.

In addition to this clarification, in general, the new HIPAA guidance reinforces activities already required under HIPAA to prevent, detect, contain, and respond to threats. These activities include:

  • Conducting a risk analysis, such as a penetration test or a vulnerability assessment, to identify threats and vulnerabilities to ePHI and establishing a plan to mitigate or remediate those identified risks.
  • Implementing procedures to safeguard against malicious software, such as ransomware.
  • Training authorized users to detect malicious software and to report such detections.
  • Limiting access to ePHI to only those persons or programs that require access.
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

The HHS advisory stresses that those entities who are fully complying with HIPAA regulations as they relate to the protection of ePHI are less likely to be infected by ransomware. Further, should they be infected, they will likely be able to recover more easily and sustain less damage.

Besides ensuring that all of the activities outlined by the HHS are routinely conducted, there are additional specific steps that the Withum Cyber Secure team recommend Healthcare organizations take to protect themselves from ransomware. These include:

Educate your staff

Ransomware typically relies on tricking a user in your organization into opening an email attachment or visiting a malicious website. Train your staff to scrutinize attachments and links in emails, and to not visit suspicious websites on their work computers. To be extra safe, train them to never click any link in any email, but instead manually visit the site if they think the email is legitimate.

Routinely backup your data and keep it isolated

Having a routine backup plan is a critical practice in any data system. However, to combat ransomware, you need to also ensure that these backups are isolated, so that if an infection does occur, the ransomware cannot take control of the backup files as well. Restoring from backups is the easiest and least expensive way to resolve a ransomware attack. If your backup files have been encrypted as well, this is no longer an option, and paying the ransom often becomes the only choice left. Also, periodically test your backups and verify they are valid.

Reduce user access and capabilities to only what is needed

Ensure that staff are only allowed access to the files and network shares that they legitimately require in order to do their job. In addition, ensure that they are not local administrators on their computers so that they cannot install software. Only an administrator should install software. Giving staff ubiquitous access to data on the network and allowing them complete control of their computers makes administering the network easier and makes for less complaints from the end-users. However, it also opens the door for ransomware infections and expands how far they can reach when they do occur.

The key to staying safe from ransomware is prevention. Dealing with an attack after it has occurred is time-consuming and costly. And in the Healthcare Industry, it now requires reporting the incident to the Federal Government if ePHI was potentially affected and compromised, bringing further complications and expenses.

For further advisement on this topic and cybersecurity in general, please contact the Cyber Secure Team at WithumSmith+Brown.

The HHS’s Ransomware Fact Sheet can be viewed in its entirety at:

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

Ask Our Experts

Please contact a member of Withum’s Healthcare Services Group at [email protected] for further questions or assistance.

The information contained herein is not necessarily all inclusive, does not constitute legal or any other advice, and should not be relied upon without first consulting with appropriate qualified professionals for your individual facts and circumstances.

Previous Post

Next Post