Fall 2019 OCR Cybersecurity Newsletter: What Happened to My Data?: Update on Preventing, Mitigating and Responding to Ransomware
HHS’s Office for Civil Rights (OCR) has published its Fall 2019 Cybersecurity Newsletter, supplementing prior ransomware guidance (see our Checkpoint article) with insights into new developments in ransomware attacks and tips for improving security in response to this threat. The newsletter notes that, before 2018, most ransomware attacks involved mass, indiscriminate infection of as many devices, and across as many systems, as possible. Organizations and governments adapted to this threat by updating anti-malware products; prioritizing incident response and data backups; and studying ransomware code to reverse-engineer decryption keys. In response, bad actors have moved to targeted ransomware attacks, focusing on organizations with sensitive data, high data availability requirements, low tolerance for system downtime, and the resources to pay a ransom. OCR observes that many health care organizations fit this profile and have been targeted.
According to OCR, malicious actors planning targeted ransomware attacks usually gain unauthorized access to a victim’s information system to identify critical services, find sensitive data, and locate backups. Although new means are being used to identify victims, the methods of gaining unauthorized access—primarily phishing emails and exploiting unpatched operating systems or applications—are generally not new. OCR advises that proper implementation of the HIPAA security rule can address these vulnerabilities and help prevent, mitigate, and recover from ransomware attacks. Specifically, OCR highlights the following provisions:
Risk analysis and management. Identifying and addressing technical vulnerabilities within information systems and information technology infrastructure is crucial to preventing ransomware attacks. Implementing anti-malware software and intrusion detection solutions can also help prevent, detect, and contain attacks.
Information system activity review. Identifying anomalous activity, especially when executed with elevated privileges, can be crucial to detecting attacks in progress.
Security awareness. A training program should make users aware of potential threats—such as phishing emails that solicit login credentials—and educate them on proper responses.
Security incident procedures. These procedures can greatly limit damage caused by a ransomware attack, for example, by quick isolation and removal of infected devices from a network.
Contingency plan. Maintaining recoverable, secure, and up-to-date backups is one of the most important safeguards against ransomware attacks.
OCR emphasizes that this list is not exhaustive and other provisions, such as access controls, should also be considered.
EBIA Comment: Demands for ransom are only one of the costs associated with ransomware. Covered entities and business associates may face other consequences, such as corrupted data, lost productivity, reputational damage, equipment replacement, forensic investigations, remediation expenses, and legal bills. OCR’s emphasis on targeted ransomware attacks underscores the importance of continually evaluating tools in the escalating battle between malicious actors and those responsible for safeguarding data. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXX.B (“Core Security Requirements: Administrative Safeguards”) and XXX.D (“Core Security Requirements: Technical Safeguards”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.