• Ransomware or Bust!

  • What’s an Organization to do?

    Although ransomware attacks are taking place in all sectors, it is more commonplace to hear of these attacks within the healthcare sector.

    Within this year alone, a Hollywood hospital decided to pay the ransom of $17,000 to “rid its systems of the ransomware infection”. Soon after, hackers attacked Med Star Health, a 10 hospital network in Washington D.C. and Maryland along with Prime Healthcare who operates hospitals in California. All have fallen victim to ransomware as has their patients and their protected health information.

    Fierce Healthcare has reported that the health records of 9.3 million people went up for sale on TheRealDeal market. The records were stolen from four healthcare organizations' databases.

    Computer World has reported that the hacker has claimed to have sold $100,000 worth of records. Computer World did not mention how many records $100,000 equates to.

    Recently the U.S. Department of Health and Human Services (HHS) released some ransomware recommendations and guidance for providers. “Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided decryption keys after having paid a ransom,” the guidance says. The guidance also poses questions organizations should ask themselves to help prevent ransomware attacks, such as have employees been trained on cybersecurity best practices and has a risk analysis of cyber vulnerabilities been conducted? Additionally, HHS suggests organizations implement a security incident response and business continuity plan, in addition to contacting law enforcement immediately, if a cyberattack occurs. 

    These are great suggestion- but, I will remind the readers that security incident response is required under The Security Rule. 164.308 (a) (6). And a business continuity plan is as well. 164.308(a) (7).

    What I haven’t heard from the “guidance” of HHS, under the Contingency Plan of The Security Rule, is implementation of the required Data Back-up Plan. One that safeguards systems, files, in addition to being robust and could be potentially be a financial lifesaver.  

    Jason Rolla, chief technology officer of Christopher Rural Health, a small network of health centers and clinics in Illinois, can attest to the value of having a contingency plan in place which included contracting with a data backup firm who maintained offsite data backups of all systems and files. He was able to restored all of the systems and files from those backups, ultimately, not paying the hundreds of dollars of the virtual currency Bitcoin demanded by the hackers.

    So, what’s an organization to do?

    • Contract with a firm that performs Data Backups on all systems and files nightly. (Regularly request a report from the back-up firm showing the date and times of back-up)

    • Have a plan- Contingency Plan.

    • Response and Reporting Policy with a plan.

    • Employee education on downloading questionable attachments or clicking on suspicious links online.

    • Filtering of extensions in email.

    • Filtering of countries that come across in email.

    • Look at your spam protection and protocols.

    • Restrict software downloads.

    • File Server Resource Monitor.

    • Have comprehensive security policies and practices in place.

    • Anti-virus.

    • Patching for updates.

    • Remove local administrators’ rights.

    These noted on the above list are a few additional suggestions which HHS could add to their guidance.

    Of course, HIPAA doesn’t require entities to encrypt data, though HHS expects to have The Security Rule’s technical safeguards in place.

    Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies and procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance, subscribe to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult

    “Copyright” © JAL Consulting 2016