Avoiding and Preventing Ransomware Attacks

Recently Health & Human Services (HHS) provided some guidance on avoiding ransomware attacks in its “Cybersecurity Best Practices” report. 

HHS statistics showed that in the first six months of 2016, there were an average of 4,000 ransomware attacks every day, a 300 percent increase from 2015, when the daily average was 1,000 attacks. While this figure was startling, the scariest part of the report was  HHS’ position that 

“[w]hen [ePHI] is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired[,] and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” 

In other words, you are required to presume a ransomware incident is a breach unless the evidence demonstrates a low probability of compromise based on the HIPAA breach risk assessment factors, including specifically that the PHI was not actually viewed or acquired. The guidance expanded the four-factor risk assessment under HIPAA when ransomware is involved to include consideration of the availability and integrity of the data.

The Report defines ransomware as a type of malware that:

“attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.” 

Organizations will often discover that their systems have been impacted by ransomware in one of two ways: 

  1. Employees arrive to work one morning and report that they are unable to log in to their computers, which an IT investigation reveals is due to the encryption of files and data on workstations and/or servers, or
  2. an employee reports receiving an email or pop-up on his or her screen that looks something like the picture above

Once they discover ransomware, most victims check to determine whether sufficient backups exist to restore the encrypted files and avoid paying the ransom. But be careful, IT assistance should be sought, before any systems are restored, to perform an analysis of how the ransomware accessed the system. For healthcare providers, it is imperative to evaluate the ransomware and the method of to determine whether there the data was actually compromised. If the server(s) or workstation(s) on which the ransomware was found is formatted clean before a forensic image is made, there may be insufficient evidence to make that determination, and you will then be required to notify of all individuals whose information was on the affected computer.

To avoid ransomware in the first place, make sure to train your staff about email precautions. Employees should be trained to ask themselves the following questions before clicking on a link within an email or downloading any attachment, whether it is from an outside or inside source:

  • Do you know the sender?
  • Are there any spelling or grammatical errors in the body of the email?
  • Did you hover over a link to see the URL destination, ensuring it does not mask a malicious site?
  • Is the “from” address a legitimate email address, without misspellings?
  • Is this email too good to be true?

Most importantly, users should ask themselves if they were expecting to receive a document or link from this user. To confirm, users should call the sender – not email – to confirm whether an email is legitimate, since unauthorized actors often remain in the email box, responding affirmatively to questions of legitimacy.

In addition, the HHS Report suggests that small to medium practices do the following:

  • Implement proven and tested response procedures when employees click on phishing emails. This can be accomplished by conducting phishing simulations, as described in the technical volume for small entities. These tests will provide entities with an understanding of how likely their workforce is to click on      potentially malicious links (i.e., how many people actually click the link), and they can help organizations identify attacks that bypass established email security protections.
  • Establish cyber threat information sharing with other healthcare providers. Sharing information about how an organization has been attacked may seem scary, but the Report points out that pursuant to Executive Order 13691,
    “when a member organization provides an information sharing and analysis organization (ISAO) with information about cyber-related breaches, interference, compromise, or incapacitation, the ISAO must: protect the individuals’ privacy and civil liberties, preserve business confidentiality, and safeguard the information being shared.”

In other words, the ISAO shares information about the attack, not about the entity that reported the information. Receiving cyber intelligence through ISAO sharing can help entities increase safety precautions around emerging threats they otherwise would not be aware of.

Ransomware is becoming a significant threat to small providers and taking steps to prevent and avoid attacks are important especially in light of the more aggressive pursual of HIPAA violations. 

If you have questions, feel free to contact me:

Peter J. Cass, O.D. 

VP Development, Practice Compliance Solutions