How Ransomware and HIPAA Compliance Intersect
By Tobias Geisler Mesevage
During the infamous ransomware attack, healthcare organizations were targeted by cybercriminals who exploited multiple security vulnerabilities to install and execute SamSam. Six healthcare facilities were victims during the years-long attacks:
- Hollywood Presbyterian Medical Center (Los Angeles, California)
- Kansas Heart Hospital (Wichita, Kansas)
- Laboratory Corporation of America Holdings, (Burlington, North Carolina)
- MedStar Health (Maryland)
- Nebraska Orthopedic Hospital (Omaha, Nebraska)
- Allscripts Healthcare Solutions Inc. (Chicago, Illinois)
Healthcare is the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging $6.45 million, according to the “2019 Cost of a Data Breach Report.”
Healthcare organizations are an attractive cyber target for ransomware attacks for several reasons:
- Many organizations use equipment that runs on old, unsupported operating systems, which means they are unable to implement security updates and patches.
- As healthcare groups consolidate, different operating systems can expose cybersecurity vulnerabilities.
- Patient health records are valuable data that can be sold on the Dark Web.
What Is Ransomware?
Ransomware is malicious software that locks your files and demands payment, or a “ransom” to access them.
The cyberattack targets a business’s critical files and encrypts them, often along with their entire operating system, preventing the business from accessing them. As part of the ransomware attack, the files can be marked for permanent deletion or published to the web.
Ransomware is intended to not only extort payment for releasing critical files but also to debilitate a business. The cost of downtime associated with a ransomware attack adds up.
Ransomware and HIPAA Compliance
Healthcare organizations must look to the Health Insurance Portability and Accountability Act (HIPAA) for guidance on prevention, management, and response to a ransomware attack.
Organizations covered by HIPAA must follow clear guidelines by the Department of Health and Human Services when responding to, reporting, and recovering from ransomware “security incidents.”
Among the steps outlined by HHS:
- Assess the scope of the incident, the origin and if it’s ongoing
- Assess if there has been a breach of Protected Health Information (PHI), which would be a violation of the HIPAA Privacy Rule
Organizations can avoid the headache and cost of a ransomware attack by implementing measures under the HIPAA Security Rule:
- Train all users and employees on malicious software protection and reporting
- Conduct a thorough risk analysis to ID threats and potential vulnerabilities to your network or PHI
- Implement security measures to address and mitigate any potential risks
- Install procedures to guard against and guard against and detect malicious software
- Limit who can access the organization’s critical files, including PHI
Under the HIPAA Privacy Rule, if an electronic PHI has become encrypted due to a ransomware attack, it’s considered a breach or “disclosure” of protected information. This triggers the Breach Notification Procedures:
- Inform affected individuals immediately
- Inform the Secretary of the HSS
- If over 500 individuals are affected, healthcare organizations must notify the media
Recovering From Ransomware
The HIPAA Security Rule also guides how to respond and recover from a ransomware attack:
- Maintain frequent backups and ensure data can be recovered quickly to come back from a malware attack
- Test restorations should be conducted to verify the accuracy and integrity of backed up data
- Consider maintaining data restoration capabilities offline and unavailable from the main network
Creating and implementing a Business Continuity Plan is a critical step in ensuring HIPAA protections and minimize downtime and the impact of a ransomware attack. As part of a Business Continuity Plan, organizations must also implement a Disaster Recovery Plan, which will outline how an organization can access and recover mission-critical data.
If an organization has been hit with a ransomware attack, HIPAA outlines the following steps as part of response and recovery:
- Determine the type of malware that was used. This will help determine the typical actions of that malware.
- Contain the impact of the proliferation of the ransomware.
- Mitigate the vulnerabilities that allowed for the ransomware attack.
- Recover lost data and resume business.
- Conduct a post-incident analysis to help implement increased security.
HIPAA covered organizations would be smart to follow the robust requirements outlined by HIPAA to prevent, protect, and recover from any malware attack, but most importantly, from ransomware.