July 18th, 2016 Thu T. Pham

New HIPAA Guidance on Ransomware in Healthcare

The U.S. Department of Health and Human Services (HHS) recently released new Health Insurance Portability and Accountability Act (HIPAA) guidance on dealing with ransomware for healthcare entities and business associates (healthcare service providers, such as billing, insurance, data processing, etc.).

There have been 4,000 daily ransomware attacks since early 2016, showing a 300% increase over the 1,000 daily attacks reported in 2015, according to U.S. government interagency report quoted in the fact sheet. Clearly, ransomware has become a problem, plaguing hospitals and systems, and causing major disruptions in operations.

Ransomware is when an attacker deploys a malware on a healthcare system’s machine or network of machines that encrypts all of their data and files, restricting user login access. The attacker then demands a ransom in exchange for decrypting their systems, typically in the form of Bitcoin, an anonymized cryptocurrency.

This guidance was also released two weeks after congressmen sent a letter to HHS urging them to take action, according to HealthcareInfoSecurity.com.

A Ransomware Breach: Still Reportable Under HIPAA?

But within the industry, there has been debate and confusion about whether or not ransomware is considered a reportable breach, since the data may not have been technically disclosed (as the HIPAA Privacy Rule decrees), but merely taken hostage.

This new guidance clarifies what common sense deems true: Yes, you do have to report a ransomware attack on your healthcare organization to the HHS, since the data was still accessed by unauthorized individuals. No legal loopholes here, guys. The clarifying statement says:

When electronic PHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired by unauthorized individuals [who] have taken possession or control of the information, and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised, based on the factors set forth in the [HIPAA] breach notification rule, a breach of PHI is presumed to have occurred.

And that means healthcare organizations that were victims of ransomware may also be subject to HIPAA fines and penalties under U.S. law.

Preventing Malware with the HIPAA Security Rule

The guidance refers to the HIPAA Security Rule that requires implementing the following security measures:

• Conduct a risk analysis to identify threats to electronic protected health information (ePHI)
• Implement security measures to mitigate or remediate risks
• Implement procedures to guard against and detect malware
• Train users to help assist detecting malware, and how they should report it
• Implement access controls to limit access to ePHI to only users or software that require access

Using two-factor authentication to secure the user and admin accounts with access to ePHI is one access control tool that can effectively stop the success of remote attacks.

Another way to reduce the risk of malware includes using an endpoint solution that can detect outdated devices and block them from accessing sensitive apps - many attackers leverage known vulnerabilities to install malware on users’ devices, which can spread if the device connects to your systems.

The Importance of Business Continuity Plans

The Rule also requires covered entities and business associates to maintain frequent backups and ensure the ability to recover data from backups in order to recover from a ransomware attack.

Some ransomware has been known to remove online backups, so the HHS recommends maintaining backups offline and unavailable from healthcare networks.

Other aspects recommended as part of a contingency or business continuity plan include:

• Disaster recovery planning
• Emergency operations planning
• Conduct an analysis to ensure that all critical applications and data are accounted for
• Periodic testing of contingency plans

To be fair, the guidance also states that a healthcare organization or business associate could prove that the integrity of PHI remained intact with a good backup plan.

Plus, if you want to stay in business after a breach or other disruption in service, it’s just good practice to have an established and tested business continuity plan.

How Users or IT Can Detect Ransomware

In some cases, employees may be able to notice early indicators of infection, according to the HHS:

• A user may realize they clicked on a potentially malicious link, downloaded a file attachment or visited a website
• An increase in activity in the CPU of a computer/disk activity for no reason - this can indicate the ransomware is searching for, encrypting and removing data files
• A user could be locked out of files as the ransomware is encrypting, deleting or moving data
• Suspicious network communications between ransomware and the attackers’ command and control servers - likely detected by IT personnel via an Intrusion Detection System (IDS) or other solutions

Educate your employees and IT on how to spot these signs to detect and mitigate ransomware as early as possible. Learn more about ransomware in the following articles:

• Updating Devices to Protect Against the Threat of Ransomware
• Ransomware Evades Antivirus and Microsoft Security Tools, Targets Office 365
• InfoSecurity Europe: Ransomware, Evolved
• New and Improved Ransomware Spreads in Europe; Targets U.S. Hospitals

Duo Security's Guide to Securing Patient Data

Download Duo’s Guide to Securing Healthcare Data for more tips on staying secure. To help you navigate patient data security, our guide will:

• Summarize relevant health IT security legislation, including federal and state
• Provide information security guidelines on remote access risks and solutions
• Provide extensive security resources and a real hospital customer stories
• Explain how to protect against modern attacks and meet regulatory compliance with two-factor authentication

Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the healthcare industry.