[BreachExchange] How Healthcare Organizations Can Reduce Cyber Extortion Risk
audrey at riskbasedsecurity.com
Wed Jan 31 20:41:21 EST 2018
Healthcare organizations must be mindful of how they reduce cyber extortion
risk because covered entities maintain sensitive data and provide necessary
services, OCR stated in its January Cybersecurity Newsletter.
Cyber extortion often consists of cyber criminals demanding money from
organizations in exchange for the criminals stopping their malicious
activity. This activity could include stealing sensitive information or
interrupting computer services, OCR explained.
Ransomware, denial of service (DoS) and distributed denial of service
(DDoS) attacks are all prime examples of cyber extortion that could impact
healthcare. OCR reiterated that it has provided guidance on these
cybersecurity attacks before, but stressed that entities must regularly
update their prevention and mitigation tactics.
“Another type of cyber extortion occurs when an attacker gains access to an
organization’s computer system, steals sensitive data from the
organization, and then threatens to publish that data,” the newsletter
read. “The attacker uses the threat of publically exposing an
organization’s sensitive data, which could include protected health
information (PHI), to coerce payment.”
Additionally, attackers could potentially sell the stolen data even if a
ransom is paid. Cyber criminals could also delete the information from an
“Payment of the ransom is no guarantee that an organization will get its
data back.,” OCR cautioned. “In fact, there have been instances where one
attacker has stolen and deleted an organization’s data while leaving a
demand for payment only to have a second attacker gain access to the same
computer system and overwrite the payment demand of the first attacker.”
“In this circumstance, the second attacker didn’t even have the data, so
the organization has no chance of retrieving data from the second
attacker,” the agency continued.
Healthcare organizations must remain vigilant in their cybersecurity
measures, OCR said. Cyber criminals are going to evolve in their methods,
and entities cannot afford to fall behind.
Having a robust risk analysis and risk management program is one critical
step, the agency stated. The risk management program should identify and
address cyber risks holistically and throughout the entire organization.
OCR also said in its newsletter that organizations should implement “robust
inventory and vulnerability identification processes to ensure accuracy and
thoroughness of the risk analysis.”
HIPAA regulations require a risk analysis as part of the administrative
“Risk analysis should be an ongoing process, in which a covered entity
regularly reviews its records to track access to e-PHI and detect security
incidents, periodically evaluates the effectiveness of security measures
put in place, and regularly reevaluates potential risks to e-PHI,” HHS
explains on its website.
Adjustments should also be made as more technology is introduced. New
connected medical devices or even cloud storage options could impact how
ePHI is stored and subsequently affect the risk analysis.
Employee training is also critical for reducing cyber extortion risk, OCR
said in the newsletter. Staff members should be able to “identify
suspicious emails and other messaging technologies that could introduce
malicious software into the organization.”
Employees being properly trained in cybersecurity measures is often a
common concern of healthcare executives. Eighty percent of health IT
executives and professionals said employee security awareness was their
greatest data security concern, according to a 2017 HIMSS Analytics survey.
Eighty-five percent of respondents added that their organization uses an
internal/employee security awareness program, but employee awareness
training was still one of the top five barriers to adopting a comprehensive
In addition to creating training and risk management programs, healthcare
organizations must consider technical safeguards, OCR stated in the
Anti-malware solutions, patching system vulnerabilities, data encryption,
and data backups are all critical steps for reducing cyber extortion risk.
Entities should also harden their internal network defenses and ensure they
are “limiting internal network access to deny or slow the lateral movement
of an attacker and/or propagation of malicious software,” the agency said.
“Implementing and testing robust contingency and disaster recovery plans to
ensure the organization is capable and ready to recover from a
cyber-attack,” will help organizations reduce their changes of being a
cyber extortion victim.
Additionally, robust audit logs should be implemented. Healthcare
organizations need to regularly review their audit logs for any suspicious
Signing up to receive US-CERT alerts and participating in information
sharing organizations can also be beneficial because it will help entities
stay educated on the latest cyber threats and vulnerabilities.
A strong risk management approach and updating potentially vulnerable
software were also cited as key steps for healthcare organizations to take
following the Spectre and Meltdown vulnerabilities.
The Healthcare Cybersecurity and Communications Integration Center (HCCIC)
urged Healthcare and Public Health (HPH) entities in a January 2018 release
to monitor medical device security and personally identifiable information
(PII) stored in the cloud.
The Meltdown and Spectre vulnerabilities could circumvent certain
protections and expose “nearly any data the computer processes, such as
passwords, proprietary information, or encrypted communications,” NH-ISAC
HCCIC cautioned that PHI or PII leakage from web browsers could occur, and
healthcare entities should be wary of the possibility of service
degradation and/or interruption from patches.
“Medical devices and supporting medical equipment, may not resemble
computers, but may run operating systems (Windows, Linux, etc.) on
processors that could be vulnerable to Meltdown and Spectre,” HCCIC said.
“Contact medical device manufacturers through security portals, if
available, for information specific to each medical device and the
manufacturer’s recommendations for patching medical devices.”
Whether the threat is cyber extortion, malware, or another type of
cybersecurity issue, healthcare organizations must remain vigilant in their
data security measures. A comprehensive and current risk management plan,
regular employee training, and a disaster recovery plan will all be key
tools to maintain PHI security.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the BreachExchange