May 11, 2017 by

Ransomware and HIPAA- What You Need to Know to Stay Secure

Ransomware attacks have continued to steadily increase over the past couple of years. According to a recent U.S Government interagency report since early 2016, around four thousand ransomware attacks have occurred each day. That is a three-hundred percent increase from 2015, when just one thousand attacks took place each day. The healthcare industry has been specifically targeted by many of these attacks due to the sensitive client data they possess. The recovery and prevention of these attacks in the health care sector depends on the Health Insurance and Accountability Act or HIPAA. The covered entities and business associates of HIPAA can be used to prevent and recover from ransomware attacks, as well as, manage the breach notification process during an attack.

The implementation of security measures stressed in the HIPAA Security Rule can help deter the possibility of malware entering the system. The necessary security measures include implementing a security management process, such as conducting risk analysis to identify and mitigate threats and vulnerabilities present to electronic protected health information or ePHI. A complete risk analysis should be conducted at a reasonable and appropriate level while maintaining confidentiality, integrity, and availability of all ePhi that create, receive, maintain, transmit, and implement security measures. Risk analysis and risk management is used by covered entities and business associates to both satisfy the standards of the Security Rule and to reduce the threats and vulnerabilities.  ePhi should be limited to only to those who require access. Procedures to defend and detect malicious software should also be put into effect.

In most cases, the presence of ransomware will only be detected by an entity after the user’s data has been detected and the demand has been set. However, an entity’s workforce may discover early indications of ransomware. These early indications can include an unjustified increase in the CPU or disk activity, inaccessible files, or the presence of suspicious network communication. When the presence of ransomware is detected the entity should promptly implement its security incident response plan to isolate the infected system and prevent the spread of the attack.

If the presence of ransomware is not detected until the system has been infected, HIPAA Security Rule requires all covered entities and business associates be trained in responding and recovering from a ransomware attack. Before an attack occurs, the Security Rule requires the entity to frequently maintain backups and ensure the ability to recover data from said backups. Backups should be maintained frequently when regarding ransomware attacks since a ransomware attack can disrupt the process of online backups.

The presence of ransomware on a covered entity’s or business computer is considered as a security incident under the HIPAA Security Rule. A security incident is the attempt or success of unauthorized access, use, alteration, disclosure, or destruction of information or interference of the information system and its operations. It is required for HIPAA covered entities and business associates to establish and maintain security incident procedures, response, and reporting processes they believe are reasonable to respond to malware and other security incidents. The entity’s security response should start with an initial analysis for the determination of the extent of the attack, origin of the incident, how the incident may have occurred, and whether the incident is continuous or has stopped. Determining these questions will help the entity in triaging incident response activities and acts as the foundation for the conduction of deeper analysis. Required security incident procedures include:

  • Conducting an initial analysis of the ransomware
  • Control the impact and escalation of the ransomware
  • Remove the instances of ransomware and mitigate the vulnerabilities that allowed the ransomware attack to pass through
  • Recover by restoring lost data from the attack and returning to “business as usual”
  • Conduct post-incident activities

When a ransomware attack occurs, the entity must follow HIPAA breach notifications rules. HIPAA defines breach as, “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI”. The entity must comply with breach notification rules by notifying all affected individuals immediately, unless it is determined there is a low probability that the PHI was compromised.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Robots are Now Vulnerable to Ransomware Attacks

Security researchers have put the spotlight on malware affecting humanoid robots with the first...

Read more arrow_forward

Free Decryption Tool Brings Respite to Victims of Aggressive Ransomware

A new and unusual family of ransomware has met its match after a ransomware tool backed by Europol...

Read more arrow_forward

Ransomware is ‘Modern-Day Extortion’, Says McAfee CEO

The chief executive of cybersecurity firm McAfee has labelled ransomware as the modern day answer to...

Read more arrow_forward