Ransomware infections are on the rise, and healthcare organizations are ripe targets, which may be why the federal government addressed the subject last week.
Ransomware attacks have risen from about 1,000 a day last year to 4,000 a day this year, Symantec has reported.
Many of those attacks are for small change, but some of the larger ones have been directed at healthcare providers. For example, Hollywood Presbyterian Medical Center earlier this year paid hackers US$17,000 to get its systems back online. Also, Medstar Health this spring coughed up $19,000 to return to normal operations.
The U.S. Health and Human Services Department’s Office for Civil Rights, which enforces compliance with the Health Insurance Portability and Accountability Act, better known as “HIPAA,” has released new guidance for healthcare organizations on ransomware, including the following advice:
Conduct a risk analysis to identify threats and vulnerabilities to electronic protected health information, and establish a plan to mitigate or remediate those identified risks;
- Implement procedures to safeguard against malicious software;
- Train authorized users on detecting malicious software and report such detections;
- Limit access to ePHI to only those persons or software programs requiring access; and
- Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups and testing of restorations.
Clarification of what to do when an organization is hit with ransomware is the “crown jewel” of the guidance, said Lee Kim, director of privacy and security technology solutions at the Healthcare Information and Management Systems Society.
“There was a lot of confusion in the field about whether or not to report a breach if there was ransomware involved,” she said.
“This OCR guidance clearly says that chances are that if you’re infected with ransomware, it’s likely a reportable breach unless there are mitigating circumstances,” Kim said. “Healthcare organizations know now that if ransomware encrypts PHI (protected health information), it’s likely you’ll have to report it.”
The guidelines also recommend that organizations have contingency plans in place that can be set into motion when a security event occurs.
“Larger organizations probably already have contingency plans, but for the smaller guys, the guidelines give them a little more clarity about what HIPAA requires them to do and who to contact when something happens,” Kim explained.
Where’s My Data?
The requirement for organizations to put into place a security management process for risk analysis is a positive step, said Anthony DiBello, senior director and security strategist at Guidance Software.
As part of that analysis, organizations should take a proactive approach to identify, locate and control protected health information, he added.
“Too often, organizations don’t fully understand where sensitive information resides on their networks. When you hear estimates that 60-80 percent of stored information is dark data, — or data that organizations simply don’t know what it is — that creates a tremendous amount of risk,” DiBello said.
“Organizations must be able to answer questions about stored data,” he added, “such as, What is it? Where is it? How valuable is it? Who has access to it? Should they have access to it? and What kinds of rules should attach to them?”
The guidelines are helpful, but they could use more detail, said Lysa Myers, a security researcher at Eset.
“I would like to see a bit more about specific techniques and tactics to prevent malware, such as patch or update software regularly, show hidden file extensions, and block executable files sent in email,” she says.
Organizations with savvy management will benefit the most from the guidelines, said DiBello.
“These guidelines will only help healthcare organizations that fully understand the risks and impact of data loss at the C and board level, thus helping to ensure that the appropriate level of importance and budget is dedicated to solving this problem,” he said.
“Organizations that invest in people, processes and technologies designed to protect endpoints, respond to threats, and fully identify where sensitive information resides,” said DiBello, “will help avoid becoming a victim of a ransomware attack, and ensure the risk of data loss is minimized when the inevitable happens.”
The guidelines outline what any security expert would expect to see in any information security management system, and recommend measures designed to give organizations broad protection against cyberattacks, noted Garry McCracken, vice president of technology at WinMagic.
“Ransomware may be the topic of the day, but one should not focus too narrowly just on it,” he mentioned. “An ISMS (information security manageament system) will help healthcare organizations better protect themselves in general, not just against ransomware.”
If followed, the guidelines could give healthcare organizations protection against a variety of attacks, Eset’s Myers maintained.
“By adding additional techniques like encrypting sensitive data when it’s stored or when it’s sent via the Internet, and using multifactor authentication,” she suggested, “they can significantly impact an organization’s level of risk.”
No Antidote for Bad Clicks
Even the best guidelines can’t address the core problem that has allowed ransomware to thrive, observed Stephen Gates, chief research intelligence analyst for NSFocus.
“Any new guideline that assists organizations in preventing, detecting, containing and responding to threats, especially ransomware, is a step in the right direction,” he said. “However, the question is, will guidance solve the bigger problem of the unsuspecting click?”
Proposing guidelines is one thing; having them followed is another, especially if they’re burdensome. However, that’s not the case with these rules, maintained Myers.
“While the techniques listed may require a significant change in how healthcare organizations handle data, these are not extraordinary measures by any stretch of the imagination,” she said. “Most of these things can be done with minimal purchase of new technology. Most of the cost will just be in terms of personnel power to implement new policies.”
1,617 total views, 2 views today