U.S. Dept. of Health & Human Services issues cybercrime guidance for HIPAA compliance
Summary: Titled “Your Money or Your PHI: New Guidance on Ransomware,” the HHS Office of Civil Rights blog site points to an 8-page fact sheet to help healthcare entities better understand and respond to the threat of ransomware and other malware. The fact sheet stresses the need for Covered Entities and their Business Associates to provide better education to their employees, to perform regular backups, and it states that a successful ransomware attack constitutes unauthorized “acquisition” of Protected Health Information and is therefore subject to the HIPAA disclosure rules. INCS offers a free network assessment to help you understand what your risks might be, see details below.
From the blog at the hhs.gov website, here are some highlights of this notification:
The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
- Implementing procedures to safeguard against malicious software;
- Training authorized users on detecting malicious software and report such detections;
- Limiting access to ePHI to only those persons or software programs requiring access; and
- Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.
It is clear that the Ransomware Industry, and it is a formal industry now, is continuing to innovate in the design and proliferation of its products. The fruit of this can be seen in the frequent public disclosures of successful attacks on hospitals that are required to notify the media because of the number of patient records that have been compromised. These public disclosures are less than the visible part of the cyber-crime iceberg, they are more like the little snowball on top of the iceberg. In our local marketplace, we talk to numerous businesses of all types that have suffered a compromise but do not have a regulatory requirement to disclose.
One of the purposes of this announcement is clearly to confirm that a ransomware attack against plain-text health information is, in fact, a breach that must be disclosed. While most known ransomware does not appear to export the data that’s encrypted, the mere fact that the affected entity has lost control of their records to the attacker creates the assumption that the information could be available to unauthorized parties and therefore the notification requirements must be made. If the attack victim has a sufficiently robust technology infrastructure, it may be able to prove that while compromised, no records have left their network. This could prove a difficult case to demonstrate and document with complete assurance.
Employee training is clearly a significant component of any data security plan, as the most common ways that an attack begins is through some type of undesirable employee action. Malicious email attachments and links to compromised websites are the most common points of infiltration, but the increasing sophistication of the Ransomware Industry means that new methods are being continuously developed, and there is evidence that some of these new attack vectors do not require a careless action by a computer user. Attacks can now start by what’s called “malvertising” where the ubiquitous ads running through networks on legitimate websites can infect a computer without any overt action by the user.
If the affected entity uses full-disk encryption, that may protect the data, as long as a user was not logged into the system at the time of infection. However, someone will usually be actively using the system in order for it become infected, and the user will have unencrypted access to the data – and therefore, so will the ransomware. Full-disk encryption is really intended to protect data on a portable computer that could be lost or stolen, and it is effective in preventing access to readable data under those circumstances.
The notice also describes “robust security incident procedures” that include:
- Ability to detect the presence of ransomware and identify which variant it is
- Contain the propagation and impact of the ransomware
- Assure the complete removal of the ransomware
- Mitigate the vulnerability that allowed the attack
- Recover any “lost” data and return to business-as-usual
- Determine any obligations for notification of affected parties
- Incorporate lessons learned into ongoing management procedures
This release is directed at those entities subject to HIPAA regulations, but all organizations regardless of size or industry are vulnerable to ransomware and other viruses. The propagation methods widely used today by cyber-crime actors are mostly non-directed at any specific entity- they are more accurately thought of as indiscriminate digital birdshot than a carefully targeted rifle firing. While most industries outside of healthcare and financial services may not be subject to notification requirements, they are all vulnerable to the business disruption threat from ransomware. An ounce of technology prevention, in the form of a robust firewall and endpoint protection is always advisable, but management procedures should also include a pound or two of cure in the form of point-in-time backups available both onsite and at remote locations.
Are you concerned that your existing situation does not provide sufficient protection for your operations against the threat of cybercrime? Call INCS at 704-362-1682 option 1 to schedule a no-charge thorough assessment of your computer network and all the devices that attach to it.