Although ransomware attacks are taking place in all sectors, it is more commonplace to hear of these attacks within the healthcare sector.
Within this year alone, a Hollywood hospital decided to pay the ransom of $17,000 to “rid its systems of the ransomware infection”. Soon after, hackers attacked Med Star Health, a 10 hospital network in Washington D.C. and Maryland along with Prime Healthcare who operates hospitals in California. All have fallen victim to ransomware as has their patients and their protected health information.
Fierce Healthcare has reported that the health records of 9.3 million people went up for sale on TheRealDeal market. The records were stolen from four healthcare organizations' databases.
Computer World has reported that the hacker has claimed to have sold $100,000 worth of records. Computer World did not mention how many records $100,000 equates to.
Recently the U.S. Department of Health and Human Services (HHS) released some ransomware recommendations and guidance for providers. “Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided decryption keys after having paid a ransom,” the guidance says. The guidance also poses questions organizations should ask themselves to help prevent ransomware attacks, such as have employees been trained on cybersecurity best practices and has a risk analysis of cyber vulnerabilities been conducted? Additionally, HHS suggests organizations implement a security incident response and business continuity plan, in addition to contacting law enforcement immediately, if a cyberattack occurs.
These are great suggestion- but, I will remind the readers that security incident response is required under The Security Rule. 164.308 (a) (6). And a business continuity plan is as well. 164.308(a) (7).
What I haven’t heard from the “guidance” of HHS, under the Contingency Plan of The Security Rule, is implementation of the required Data Back-up Plan. One that safeguards systems, files, in addition to being robust and could be potentially be a financial lifesaver.
Jason Rolla, chief technology officer of Christopher Rural Health, a small network of health centers and clinics in Illinois, can attest to the value of having a contingency plan in place which included contracting with a data backup firm who maintained offsite data backups of all systems and files. He was able to restored all of the systems and files from those backups, ultimately, not paying the hundreds of dollars of the virtual currency Bitcoin demanded by the hackers.
So, what’s an organization to do?
Contract with a firm that performs Data Backups on all systems and files nightly. (Regularly request a report from the back-up firm showing the date and times of back-up)
Have a plan- Contingency Plan.
Response and Reporting Policy with a plan.
Employee education on downloading questionable attachments or clicking on suspicious links online.
Filtering of extensions in email.
Filtering of countries that come across in email.
Look at your spam protection and protocols.
Restrict software downloads.
File Server Resource Monitor.
Have comprehensive security policies and practices in place.
Patching for updates.
Remove local administrators’ rights.
These noted on the above list are a few additional suggestions which HHS could add to their guidance.
Of course, HIPAA doesn’t require entities to encrypt data, though HHS expects to have The Security Rule’s technical safeguards in place.
Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies and procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance, subscribe to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.