[BreachExchange] Ransomware and HIPAA- What You Need to Know to Stay Secure

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 12 14:01:22 EDT 2017


Ransomware attacks have continued to steadily increase over the past couple
of years. According to a recent U.S Government interagency report since
early 2016, around four thousand ransomware attacks have occurred each day.
That is a three-hundred percent increase from 2015, when just one thousand
attacks took place each day. The healthcare industry has been specifically
targeted by many of these attacks due to the sensitive client data they
possess. The recovery and prevention of these attacks in the health care
sector depends on the Health Insurance and Accountability Act or HIPAA. The
covered entities and business associates of HIPAA can be used to prevent
and recover from ransomware attacks, as well as, manage the breach
notification process during an attack.

The implementation of security measures stressed in the HIPAA Security Rule
can help deter the possibility of malware entering the system. The
necessary security measures include implementing a security management
process, such as conducting risk analysis to identify and mitigate threats
and vulnerabilities present to electronic protected health information or
ePHI. A complete risk analysis should be conducted at a reasonable and
appropriate level while maintaining confidentiality, integrity, and
availability of all ePhi that create, receive, maintain, transmit, and
implement security measures. Risk analysis and risk management is used by
covered entities and business associates to both satisfy the standards of
the Security Rule and to reduce the threats and vulnerabilities.  ePhi
should be limited to only to those who require access. Procedures to defend
and detect malicious software should also be put into effect.

In most cases, the presence of ransomware will only be detected by an
entity after the user’s data has been detected and the demand has been set.
However, an entity’s workforce may discover early indications of
ransomware. These early indications can include an unjustified increase in
the CPU or disk activity, inaccessible files, or the presence of suspicious
network communication. When the presence of ransomware is detected the
entity should promptly implement its security incident response plan to
isolate the infected system and prevent the spread of the attack.

If the presence of ransomware is not detected until the system has been
infected, HIPAA Security Rule requires all covered entities and business
associates be trained in responding and recovering from a ransomware
attack. Before an attack occurs, the Security Rule requires the entity to
frequently maintain backups and ensure the ability to recover data from
said backups. Backups should be maintained frequently when regarding
ransomware attacks since a ransomware attack can disrupt the process of
online backups.

The presence of ransomware on a covered entity’s or business computer is
considered as a security incident under the HIPAA Security Rule. A security
incident is the attempt or success of unauthorized access, use, alteration,
disclosure, or destruction of information or interference of the
information system and its operations. It is required for HIPAA covered
entities and business associates to establish and maintain security
incident procedures, response, and reporting processes they believe are
reasonable to respond to malware and other security incidents. The entity’s
security response should start with an initial analysis for the
determination of the extent of the attack, origin of the incident, how the
incident may have occurred, and whether the incident is continuous or has
stopped. Determining these questions will help the entity in triaging
incident response activities and acts as the foundation for the conduction
of deeper analysis. Required security incident procedures include:

Conducting an initial analysis of the ransomware
Control the impact and escalation of the ransomware
Remove the instances of ransomware and mitigate the vulnerabilities that
allowed the ransomware attack to pass through
Recover by restoring lost data from the attack and returning to “business
as usual”
Conduct post-incident activities

When a ransomware attack occurs, the entity must follow HIPAA breach
notifications rules. HIPAA defines breach as, “the acquisition, access,
use, or disclosure of PHI in a manner not permitted under the [HIPAA
Privacy Rule] which compromises the security or privacy of the PHI”. The
entity must comply with breach notification rules by notifying all affected
individuals immediately, unless it is determined there is a low probability
that the PHI was compromised.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170512/fc014a47/attachment.html>

More information about the BreachExchange mailing list