Both large and small businesses are warned about hackers getting into their files and demanding a ransom in order to release the blocked access. Businesses are not preparing for the inevitable. It is easy pickings for hackers. The question is not will you face this problem, but when? The number of ransomware attacks are increasing rapidly with the healthcare industry experiencing a 17% increase from Q2 to Q3 in 2016 according to the NTT Security Q3 Quarterly Threat Intelligence Report.1
Ransomware attacks restrict access to a compromised computer system and demand that the user pay a ransom in order to remove the restriction. Initially, individuals were the victims of these ransomware attacks; however, because of how lucrative this technique is, hackers have expanded their targets, moving on to businesses and medical facilities where access to their data is vital for their day-to-day operations.
Many businesses find the easiest and quickest way to regain access to their information is simply to pay the ransom. However, there is no promise that a payment will result in the return of your information.
In February, Hollywood Presbyterian Medical Center in Los Angeles had issues accessing their network. After an investigation, it was determined that malware had locked access to their system. In order to regain access, the hospital paid the ransom of 40 Bitcoins which is equivalent to about $17,000. Patient care was not compromised and patient information was not accessed by unauthorized users.2
In a recent Washington Post article, Sinan Eren, who has worked in cybersecurity for government and healthcare organizations, explains that medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked.”3
Unfortunately, the threat is not going away anytime soon. In August, Rainbow Children’s Clinic located in Texas reported that a hacker gained access to their practice’s computer system and encrypted the PHI of their patients, making it impossible for the clinic to access patient files. Some patient data was deleted and cannot be recovered due to a lack of regular backups of PHI. Rainbow Children’s clinic reported this breach affected over 33,000 patients.4
How do you prevent this?
Risk assessment: The HIPAA Security Rule requires that covered entities perform a Risk Assessment of their organization under 45 C.F.R § 164.308(a)(1)(ii)(A).5 A Risk Assessment helps to show areas where ePHI may be vulnerable and at risk. Risk Assessments may reveal the need for more protection such as firewall, anti-virus protection, or prevention and detection tools. A Risk Assessment will be the foundation and blueprint to safeguarding ePHI and, most importantly, this process is promoting better business practices.
HIPAA compliant IT professional: A lack of training of employees is a significant contributor to weak network security. Something many organizations do not consider is whether or not their IT professional is HIPAA compliant. A HIPAA compliant IT professional can help you prevent breaches. IT professionals need to understand what HIPAA requires in cybersecurity in order to protect your business.
Information system activity review is required by HIPAA. This requires the regular review of audit logs, access reports, and security activity tracking reports.6 IT professionals are also expected to put in controls for access to ePHI as well as implement malware protection to guard against malicious software.
Security incident response and reporting is also required by HIPAA. It requires organizations to identify and respond to known or suspected security incidents, mitigate the effects, and document the outcome.7
Data backup: One way to prevent a successful ransomware attack is to backup your files often. This way, even if your files are locked by hackers, you don’t need to pay to get them back. Frequent backups (at least daily if not hourly) are a simple way to add an extra layer of protection to your ePHI. However, it is important not to keep the backup drives connected directly to the network because it could risk the backup being encrypted as well.8
Conclusion
Ransomware attacks will continue to increase exponentially in 2017. Better HIPAA compliance training of employees and management in your organization can help to defend against ransomware attacks. Ransom is expensive and so are HIPAA fines. The alternative is becoming compliant. Not only is HIPAA compliance a fraction of either scenario, but it also offers you peace of mind.
-
http://www.hipaajournal.com/healthcare-ransomware-infections-increased-17pc-q3-3642/
-
https://www.washingtonpost.com/news/morning-mix/wp/2016/02/18/after-computer-hack-l-a-hospital-pays-17000-in-bitcoin-ransom-to-get-back-medical-records/?tid=a_inl
-
https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html
-
http://www.hipaajournal.com/rainbow-childrens-clinic-ransomware-attack-resulted-in-data-loss-3635/
-
45 C.F.R § 164.308(a)(1)(ii)(A)
-
45 C.F.R § 164.308(a)(1)(ii)(D)
-
45 C.F.R § 164.308(a)(6)(ii)
-
https://www.wired.com/2016/05/4-ways-protect-ransomware-youre-target/