Ransomware Holds Data Hostage
The US Department of Health and Human Services (HHS) states in a Fact Sheet on Ransomware and HIPAA that ransomware may result in a breach that must be disclosed under the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.
Ransomware is malware (malicious software) that denies users access to their data, usually by encrypting it, until a ransom is paid.
According to the Fact Sheet, covered entities and business associates (entities) that comply with the HIPAA Security Rule should already be prepared to prevent and recover from ransomware attacks.
HIPAA requires entities to provide their workforces with appropriate security training. This could help entities to prepare their staff to detect and respond to ransomware before it encrypts data.
The Security Rule also requires HIPAA entities to implement a data backup plan as part of maintaining an overall contingency plan. Because ransomware denies access to data, it’s crucial for entities to maintain frequent backups and ensure the ability to recover data from backups.
The Fact Sheet lists “robust security incident procedures” that should help entities respond to a ransomware attack. They include:
(*) detecting and conducting an initial analysis of the ransomware
(*) containing the impact and propagation of ransomware
(*) eradicating instances of ransomware and mitigating or remediating vulnerabilities that permitted the attack
(*) recovering from an attack by restoring data lost during the attack
(*) conducting an analysis to determine if the entity has any obligations as a result of the incident (such as providing breach notifications) and incorporating lessons learned
The Fact Sheet also warns that the presence of ransomware (or any malware) on an entity’s computer systems is a security incident under the Security Rule. Entities that detect ransomware must initiate their security incident and response and reporting procedures.
The presence of ransomware on an entity’s computer system requires a fact-specific determination of whether a HIPAA Privacy Rule breach has occurred. If electronic protected health information (ePHI) is encrypted as a result of the ransomware attack, a breach has occurred because the ePHI was acquired by the hackers, which is a prohibited disclosure under the Privacy Rule.
Unless the entity can demonstrate that there is a low probability that the ePHI was compromised, a breach is presumed and the entity must comply with applicable breach notifications.
Ransomware has made headlines as a problem for hospitals and government agencies, but it’s a problem for everyone. In March 2016 the US Department of Homeland Security and the Canadian Cyber Incident Response Centre issued joint Alert (TA16-091A), Ransomware and Recent Variants. The alert advises users and administrators to:
(*) use data backups
(*) use application whitelisting to prevent malicious software and unapproved programs from running
(*) keep operating systems and software up to date with the latest patches
(*) maintain up-to-date antivirus software
(*) restrict users’ ability to install software applications
(*) avoid enabling macros from email attachments
(*) avoid following unsolicited Web links in emails.
The alert discourages individuals and organizations from paying the ransom, because paying doesn’t guarantee that files will be released. In addition, paying gives the malicious actors the victim’s bank information. Fraud should be reported to the FBI at the Internet Crime Complaint Center.
Even if a victim pays, retrieving the data won’t be easy. For example, the chief information officer of a medical center reported that after paying the ransom, the hospital received “900 decryption codes. One decryption code, unique, per device. There was no magic wand of a single decryption code to alleviate the problem. We had to deal with 900 codes to go server by server by server, device by device.”
Employers can protect data by encouraging employees to use cyberhygiene, a term coined by Dr. Vinton Cerf, who used it in a statement before the US Joint Economic Committee in 2000. According to some experts, hackers are becoming more sophisticated at targeting specific victims and vulnerabilities, and “the days of grammatically incorrect, mass spam phishing attacks are pretty much over.”
The Center for Internet Security launched a cyberhygiene campaign campaign that divides cyberhygiene into five priorities:
(*) Count (know what’s connected to your network)
(*) Configure (implement key security settings)
(*) Control (manage accounts and limit user and administrator privileges)
(*) Patch (keep systems current)
California’s Senate passed legislation making ransomware a crime. According to a the Assembly Committee on Privacy and Consumer Protection analysis, current laws about extortion didn’t adequately cover ransomware because extortion requires a threat to do an unlawful injury, while a ransomware attack has already caused injury.
According to the bill’s author, his Senate website was hijacked the day after the Senate approved the legislation outlawing ransomware. The bill is now in the California Assembly.
Good training can help employees avoid the common data security errors that could lead to ransomware. Learn more about LawRoom and how our online data security training can help employers protect their organization and customers by focusing on technical and human solutions to data security.