Ransomware Attacks and HIPAA
A ransomware attack has taken down the largest gasoline pipeline in the USA – the Colonial Pipeline carrying 2.5 million barrels per day of gasoline and other refined fuels. The pipeline runs from refineries in Texas to destinations throughout the eastern USA. This is the biggest impact for a cyber attack on physical operations at a critical infrastructure in US history. And YES, this could happen to your physician medical practice or healthcare entity, no matter how big or how small. Is your practice or entity HIPAA-ready in case of a ransomware attack?
Ransomware is a type of malicious software (or malware) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the attacker who deployed the ransomware. In order for a victim to obtain this key, a ransom payment, which is usually made in cryptocurrency, is required. These types of attacks pose a serious threat to HIPAA covered entities, business associates, and the electronic protected health information (ePHI) that they hold.
The Office of Civil Rights has supplemented materials it has previously published on how the HIPAA Security Rule can help prevent, mitigate and recover from ransomware attacks by providing insight into new developments and trends that have been observed regarding ransomware attacks and how organizations can improve their security posture in response to this threat.
Ransomware Prevention, Mitigation, and Recovery
Although threat actors have employed new means for identifying victims, their overall methods of gaining unauthorized access to systems and deploying ransomware remain generally the same. Phishing emails and vulnerability exploitation (e.g., exploiting unpatched operating system or application vulnerabilities) continue to be the most common attack vectors.
Entities should be mindful that ransomware attacks often occur after prior instances of unauthorized access and malware infection. A threat actor sometimes needs to have access and privileges on a victim’s information system in order to initiate the infection. Further, certain types of ransomware have been observed to “piggyback” into a system, using other malware as a tool for deployment. Proper implementation of several HIPAA Security Rule provisions can help covered entities and business associates prevent, mitigate, and recover from ransomware attacks, including:
- Risk Analysis: Covered entities and business associates are required to conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of their ePHI, and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Identifying and addressing technical vulnerabilities within information systems and information technology infrastructure is crucial to preventing ransomware attacks. Successful ransomware deployment often depends on exploitation of technical vulnerabilities such as outdated software, unsecured ports, and poor access management/provisioning. Implementing effective security tools including anti-malware software and intrusion detection/prevention solutions can also help prevent, detect, and contain attacks. Identifying and reducing these potential risks and vulnerabilities is key to making an organization a less inviting target.
- Information System Activity Review: If ransomware is able to overcome an organization’s first level of defenses and enter the organization’s network and information systems, effective system monitoring and review will be critical to detecting and containing the attack. Identifying anomalous activity, especially such activity executed with elevated privileges, can be crucial to identifying an attack in progress. Covered entities and business associates are required to regularly review records of information system activity. Such records can include audit logs, access reports, and security incident tracking reports. Some organizations may benefit from tools to assist with log collection and review processes. Security Information and Event Management solutions can assist an organization with its activity review process by aggregating and helping to analyze logs and reports from many different information systems.
- Security Awareness and Training: Information system users remain one of the weakest links in an organization’s security posture. Social engineering, including phishing attacks, is one of the most successful techniques used by threat actors to compromise system security. A training program should make users aware of the potential threats they face and inform them on how to properly respond to them. This is especially true for phishing emails that solicit login credentials. Additionally, user training on how to report potential security incidents can greatly assist in an organization’s response process by expediting escalation and notification to proper individuals.
- Security Incident Procedures: An organization’s incident response procedures can greatly limit the damage caused by a ransomware attack. Organizations may consider addressing ransomware attacks specifically within its response policies and procedures as mitigation actions may vary between different types of incidents. Quick isolation and removal of infected devices from the network and deployment of anti-malware tools can help to stop the spread of ransomware and to reduce the harmful effects of such ransomware. Response procedures should be written with sufficient details and be disseminated to proper workforce members so that they can be implemented and executed effectively. Further, organizations may consider testing their security incident procedures from time to time to ensure they remain effective. Familiarity with the execution of security incident procedures should reduce an organization’s reaction time and increase its effectiveness when responding to an actual security incident or breach. Identifying and responding to suspected security incidents is key to mitigating potential harm following an intrusion.
- Contingency Plan: An effective and robust contingency plan is essential to recover from a ransomware attack. Proper implementation of this provision will allow an organization to continue to operate critical services during an emergency and recover ePHI. Because patient health and safety may be impacted, tolerance of system downtime is low and ePHI availability requirements are high. A covered entity or business associate must backup ePHI and ensure that it is accessible and recoverable in the event of a ransomware attack. Organizations should keep in mind that threat actors have recently been actively targeting backup systems and backup data to prevent recovery. Maintaining recoverable, secure, and up-to-date backups is one of the most important safeguards against ransomware attacks.
Additional Security Rules
The foregoing measures (and associated Security Rule provisions) are not an exhaustive list of measures to prevent and recover from a ransomware attack. The OCR states that covered entities and business associates may also want to consider these additional Security Rule provisions:
- Implementing effective access controls (access control) to stop or impede an attacker’s movements and access to sensitive data; e.g., by segmenting networks to limit unauthorized access and communications. Further, because attacks frequently seek elevated privileges (e.g., administrator access), entities may consider solutions that limit the scope of administrator access, as well as solutions requiring stronger authentication mechanisms when granting elevated privileges or access to administrator accounts.
- Ensuring that security measures remain effective as technology changes and new threats and vulnerabilities are discovered (maintenance)); e.g., by updating or patching software and devices to mitigate known vulnerabilities.
The emergence of targeted attacks shows that threat actors are adapting to steps taken by organizations to combat the risk of ransomware infections. So far, these adaptations have proved to be successful, which suggests that ransomware attacks will continue to remain a serious threat to covered entities, business associates, and ePHI for the foreseeable future. However, advances in malware detection and containment tools can assist entities in identifying intrusions into their IT system and initiating defenses before their data is encrypted. Further, the implementation of the robust security measures required by HIPAA can prevent or greatly reduce the impact of ransomware attacks.
Should an Entity Pay the Ransom?
According to the OCR, the FBI does not recommend paying the ransom demanded by the initiator of the ransomware attack, as payment does not guarantee that an entity’s data will be returned, and payment could provide encouragement for further ransomware attacks. The FBI has noted that there have been instances where the decryption key was not provided after the ransom was paid, or the data was corrupted when it was returned. The FBI recommends always reporting ransomware incidents to law enforcement, to prevent future attacks and to enable a criminal investigation to be initiated. Please see the following resources for additional information: