Ransomware attacks have continued to steadily increase over the past couple of years. According to a recent U.S Government interagency report since early 2016, around four thousand ransomware attacks have occurred each day. That is a three-hundred percent increase from 2015, when just one thousand attacks took place each day. The healthcare industry has been specifically targeted by many of these attacks due to the sensitive client data they possess. The recovery and prevention of these attacks in the health care sector depends on the Health Insurance and Accountability Act or HIPAA. The covered entities and business associates of HIPAA can be used to prevent and recover from ransomware attacks, as well as, manage the breach notification process during an attack.
The implementation of security measures stressed in the HIPAA Security Rule can help deter the possibility of malware entering the system. The necessary security measures include implementing a security management process, such as conducting risk analysis to identify and mitigate threats and vulnerabilities present to electronic protected health information or ePHI. A complete risk analysis should be conducted at a reasonable and appropriate level while maintaining confidentiality, integrity, and availability of all ePhi that create, receive, maintain, transmit, and implement security measures. Risk analysis and risk management is used by covered entities and business associates to both satisfy the standards of the Security Rule and to reduce the threats and vulnerabilities. ePhi should be limited to only to those who require access. Procedures to defend and detect malicious software should also be put into effect.
In most cases, the presence of ransomware will only be detected by an entity after the user’s data has been detected and the demand has been set. However, an entity’s workforce may discover early indications of ransomware. These early indications can include an unjustified increase in the CPU or disk activity, inaccessible files, or the presence of suspicious network communication. When the presence of ransomware is detected the entity should promptly implement its security incident response plan to isolate the infected system and prevent the spread of the attack.
If the presence of ransomware is not detected until the system has been infected, HIPAA Security Rule requires all covered entities and business associates be trained in responding and recovering from a ransomware attack. Before an attack occurs, the Security Rule requires the entity to frequently maintain backups and ensure the ability to recover data from said backups. Backups should be maintained frequently when regarding ransomware attacks since a ransomware attack can disrupt the process of online backups.
The presence of ransomware on a covered entity’s or business computer is considered as a security incident under the HIPAA Security Rule. A security incident is the attempt or success of unauthorized access, use, alteration, disclosure, or destruction of information or interference of the information system and its operations. It is required for HIPAA covered entities and business associates to establish and maintain security incident procedures, response, and reporting processes they believe are reasonable to respond to malware and other security incidents. The entity’s security response should start with an initial analysis for the determination of the extent of the attack, origin of the incident, how the incident may have occurred, and whether the incident is continuous or has stopped. Determining these questions will help the entity in triaging incident response activities and acts as the foundation for the conduction of deeper analysis. Required security incident procedures include:
- Conducting an initial analysis of the ransomware
- Control the impact and escalation of the ransomware
- Remove the instances of ransomware and mitigate the vulnerabilities that allowed the ransomware attack to pass through
- Recover by restoring lost data from the attack and returning to “business as usual”
- Conduct post-incident activities
When a ransomware attack occurs, the entity must follow HIPAA breach notifications rules. HIPAA defines breach as, “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI”. The entity must comply with breach notification rules by notifying all affected individuals immediately, unless it is determined there is a low probability that the PHI was compromised.