OCR tips on preventing and mitigating attacks
Hackensack Meridian Health announced that it was the subject of a ransomware attack and paid an undisclosed amount to regain control over its systems. This is another example of how this type of malicious software (or malware) can deny access to a user’s data, usually by encrypting the data with a key known only to the attacker who deployed the ransomware. For a victim to obtain this key, a ransom payment is required. Although ransomware attacks are not unique to the health care industry, they pose a particularly serious threat to HIPAA covered entities, business associates, and the electronic protected health information (ePHI) that they hold. The Federal Bureau of Investigation (FBI) has estimated that over 100,000 computers are infected daily and annual ransom payments reach almost $1 billion. Ransom payments are only a part of the costs associated with an attack. Additional costs associated with ransomware attacks include unrecoverable data, lost productivity, damage to reputation, damaged equipment, forensic investigations, remediation expenses, and legal bills. The following are tips and suggestions offered by the Department of Health and Human Services Office for Civil Rights to protect health care information:
- Educate the work force on the fact that a successful ransomware attack relies heavily upon gaining unauthorized access to systems through phishing emails and vulnerability exploitation (e.g., exploiting unpatched operating systems or application vulnerabilities). Also, an organization should conduct ongoing training to keep users aware of potential threats the organization and individuals may face. Additionally, user training on how to report potential security incidents can greatly assist in an organization’s response process by expediting escalation and notification to proper individuals.
- Conduct a thorough and accurate assessment that identifies potential risks and vulnerabilities to the confidentiality, integrity, and availability of the organizations’ ePHI. Covered entities and business associates should then implement security measures to reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
- Identify and address technical vulnerabilities within information systems and information technology infrastructure. Bad actors often depend on technical vulnerabilities such as outdated software, unsecured ports, and poor access management/provisioning to successfully deploy malware, including ransomware. This is particularly critical for hospitals and other health care providers that rely on medical devices and machines that run on old and often unsupported software.
- Implement effective security tools such as anti-malware software and intrusion detection/prevention solutions to help prevent, detect, and contain attacks.
- Maintain an effective monitoring system to identify anomalous activity and regularly review records of information system activity.
- Develop incident response procedures that can greatly limit the damage caused by a ransomware attack. Incident responses should include procedures for quickly isolating and removing infected devices from the network since this will help reduce the spread of the ransomware. Anti-malware tools can also be deployed to help stop the spread of ransomware and to reduce its harmful effects.
- Prepare written response procedures with enough details so that they can be implemented and executed effectively. Key to mitigating the potential harm following an intrusion is identifying and responding to suspected security incidents.
- Test security incident procedures from time to time to ensure they remain effective and everyone is reminded of their role during an incident response.
- Develop an effective and robust contingency plan. A contingency plan is essential to continuing critical operations during an attack and recovering from an attack. Because patient health and safety may be impacted, tolerance of system downtime is low and ePHI availability requirements are high.
- Establish a backup system for ePHI and ensure that it is accessible and recoverable in the event of a ransomware attack. One of the most critical safeguards during a ransomware attack is a recoverable, secure, and up-to-date backup of ePHI and other critical data allowing for patient care and provider operations to continue.