Every healthcare professional needs to understand the dangers of ransomware attacks and how to mitigate related risks. The healthcare industry has experienced an extraordinary increase in these attacks and the trend is likely to continue. It’s easy money for hackers. They encrypt the data, make the threat, and if the ransom is not paid, covered entities and business associates find themselves facing a potential disaster. Not only may ransomware attacks place patients in danger because caregivers have lost access to needed data, but the attacks also threaten the organization’s overall operations.

The FBI has clearly recommended not paying ransoms, and as Kansas Heart Hospital learned earlier this year, payment may just lead to a demand for more money. Many health practitioners feel urgency to pay ransoms because of concern over patient safety. And, yes, it does sometimes come down to professional judgment, where circumstances indicate erring on the side of patient safety over catching the bad guys. But that should be a last resort. Dealing with the ransomware phenomenon is a complex and dangerous problem in healthcare. What should you know and do about it?

1. Risk Management. After conducting a security risk analysis to determine what your organization’s exposure is to attack, you can then mitigate those identified risks to reduce the possibility of ransomware infection. This means implementing a strong risk management program. Risks change due to more sophisticated malware, the acquisition of new hardware and software, changes in business and clinical practices and so on. Appropriate IT specialists need to monitor changes in the network environment, staff responses to phishing attacks (do they click on that bad link?) and external hacking threats.

• Data Backup. It’s important to make sure your data backup process is sound and all of your PHI is quickly recoverable in the event your data is “captured” and held for ransom. That way you don’t need to pay the ransom in the first place. Be sure to backup up early and often. Tools are available to back up your data throughout the day rather than just at night; make use of them.
• Backup Retention. It’s wise to retain the backup media for several days and preferably at least a week. If ransomware is dormant and finds its way to your backup media, you may find that your most recent backed up data is also corrupt and can’t be used to restore servers, EHRs and the like. If you do have to restore from backup media, be sure to analyze it first to prevent this issue.  An additional tip: check the integrity of your backup copies once in a while and test restoration from backup periodically.
• Anti-Spam Filters. If you haven’t implemented good anti-spam filters, now is the time to do it. Most ransomware has been spreading through eye catching emails that contain malware or a link that, once clicked launches a ransomware attack. When configuring your anti-spam filters, make sure to block attachments with extensions like .exe, .vbs, or .scr.
• Staff Training. This is a must, and involves much more than just warning staff not to open suspicious attachments. Staff need to fully understand the dangers of phishing and ransomware and how attacks occur. For example, let staff know that just because an email looks official, it may hide a deep secret that could harm them and your organization. Training needs to be repeated periodically and preferably through different methods so staff don’t eventually tune out the message.
  As an added training step, use tools like PhishMe to conduct a mock phishing attack. Your people may be surprised at dismaying results, which will reinforce greater awareness of phishing risks. Another training tip: Let’s say a staff member receives an email from Amazon (or another apparently legitimate source). The user need only hover the cursor over the web link in the email to see where that link will really take them. If it doesn’t show a link to an Amazon website, a phishing attempt is underway.
• Other Priorities. There are other steps you can take to reduce the possibility of being hit with ransomware. The following list is not inclusive but it gives you an idea of other steps you can take to prevent infection.
  1. Making sure your incident response plan is up to date and has been tested.
  2. Segmenting your network to separate access to critical applications so that if an infection occurs, it won’t hit your whole network.
  3. Regularly patching servers and workstations.
  4. Regularly reviewing firewall and intrusion detection/prevention system logs to look for suspicious activity.
  5. Updating disaster and business continuity plans so they mesh with your incident response plan in the event of an attack that takes down your EHR.
  6. Requiring strong passwords that are not susceptible to a brute force attack and are able to block access after a few unsuccessful attempts to log in to the network and the EHR.

2.  Security Incident Response and Breach Notification. What if you’re not successful in blocking ransomware from infecting your network and applications? That’s where a solid security incident response and breach notification plan comes in. Security is never risk free, so If you have a solid plan and a trained team, you can respond to the incident more quickly, reducing or eliminating potential damage. This includes conducting the necessary forensic analysis before rebuilding servers and workstations, so that evidence of the type of ransomware used and where it came from won’t be lost. If law enforcement becomes involved, it can’t help you if the evidence is missing.

• How do ransomware attacks fit into HIPAA and breach notification? The HHS Office for Civil Rights (OCR) has issued guidance in a 2016 FAQ stating that if the PHI was not encrypted by the covered entity or business associate, ransomware represents a breach of unsecure PHI. In OCR’s own words, “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred.” This is because unauthorized individuals have taken possession or control of the ePHI. Such a “disclosure” is not permitted under the HIPAA Privacy Rule.
• Does that mean you need to report the breach? That depends… You still need to conduct the four-factor risk assessment included in the HIPAA Breach Notification Rule, but if you can prove to yourself there was a low probability of compromise, it’s not a reportable breach. That means conducting a forensic analysis to determine if the PHI was actually accessed. For example, if the PHI was properly encrypted prior to the ransomware attack, a breach of unsecure PHI may not have occurred. On the other hand, a breach may have occurred if a mobile device was in use (thereby unencrypting the data) at the time of the attack. In the end, it’s a matter of conducting a thorough investigation and documenting why the attack resulted in a low probability of PHI compromise.

The security community has developed and established strong methods to effectively reduce the likelihood of ransomware infection and to respond quickly if it occurs. Still, healthcare is behind other industries like the financial sector when it comes to investing in and implementing sound security programs. Covered entities and business associates need first to be diligent about basic, sound security practices.  Then they must move beyond the basics as hackers continually become more sophisticated. Implementing robust security programs and then appropriately upgrading them as threats and technologies change are essential for longterm protection of your organization, your clients, your patients  — and to satisfy regulators. The worst can’t happen to you?? Don’t count on it. Be ready.

Our thanks to our partner, Chris Apgar, for this guest post.