In the wake of the widespread ransomware attack launched last Friday that has quickly spread worldwide, the Dept. of Health and Human Services (HHS) sent an email reminder to healthcare organizations, urging them to adhere to the Office for Civil Rights’ (OCR) ransomware guide published last year.
The guide covers how to prevent and recover from a ransomware attack, as well as how the Health Insurance Portability and Accountability Act (HIPAA) plays a role when it comes to breach notification.
While the ransomware attack hit hospitals in the U.K. hard, Forbes has reported on infected medical devices in a U.S. hospital affecting Bayer Medrad radiology equipment used to improve imaging. Bayer will be sending out a patch for its Windows-based devices soon.
Preventing Ransomware With HIPAA
How does the HIPAA Security Rule requirements address the security measures you can take to prevent malware/ransomware?
While not overly specific or technical (like PCI DSS), they do provide a very broad outline of basic measures to take:
- Security Management Process - Conduct a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI).
- Security Measures & Procedures - Implement security measures and procedures to mitigate risks, guard against and detect malware.
- Train Users - Educate employees so they can assist in detecting malware, and know how to report detections.
- Strong Access Controls - Limit access to ePHI to only the users, applications or programs that require access.
For example, the guide acknowledges that there isn’t a HIPAA requirement that explicitly calls for updating network device firmware, but healthcare organizations should identify and address the risks to ePHI when using network devices running on out-of-date firmware.
To secure remote access to systems with ePHI, using two-factor authentication can reduce the risk of phishing or password-related breaches. It’s highly recommended in HHS’s HIPAA Security Guidance, and required for e-prescriptions by the Drug Enforcement Administration (DEA) - known as Electronic Prescriptions for Controlled Substances (EPCS) compliance.
Recovering from Ransomware With HIPAA
There are specific policies and procedures that can help healthcare organizations when it comes to responding and recovering from ransomware:
- Implement a Data Backup Plan - Maintain frequent backups and conduct periodic test restorations to verify the integrity of the data backups. Keep backups offline and unavailable to other networks to avoid infection.
- Establish a Contingency Plan - In addition to a data backup plan, healthcare organizations need to conduct disaster recovery and emergency operations planning. They also need to analyze the criticality of applications and data, while periodically testing contingency plans to make sure their teams are ready to execute. This can help businesses (like hospitals) continue operating while recovering from an attack.
- Security Incident Procedures - Create procedures to detect and conduct an analysis of ransomware; contain the impact and propagation of the ransomware; and remediate vulnerabilities associated with the ransomware attack.
- Post-Incident Procedures - Conduct a deeper analysis of the incident to determine if providing a breach notification is necessary, and incorporate lessons learned into existing security processes to improve incident response effectiveness for future incidents.
Remediating vulnerabilities that may have allowed the ransomware to infect your systems is key to closing security gaps quickly and protecting against another malware infection. One example is applying the Microsoft emergency patches released for older versions of their Windows operating system (OS) to prevent the spread of the WannaCry ransomware.
In addition to keeping your antivirus up to date, you should keep device OS, browsers, plugins and other software updated to protect against publicly-reported vulnerabilities that can be used to compromise access to your users’ devices and healthcare systems. Use an endpoint security solution that can detect risky devices and block them until users update.
Finally, when it comes to breach notification, the HHS states:
The OCR presumes a breach in the case of ransomware attack. The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach.
Read more about the recent WannaCry ransomware attack, including specific tips to help you prevent malware infection while keeping risky devices from accessing your applications, and learn more about Duo for Healthcare.