When you hear the word “ransom” you probably think of a villain holding someone or something hostage until the victim pays ransom money. This might play out in the plotline of your favorite books or movies, but not in the real world, right? Today, especially in the healthcare IT world, ransom (or ransomware) is a scary and high-stakes reality.

What is ransomware?
Ransomware is malicious software created to block access to a computer or system until money is paid. It’s often spread through:
• Phishing emails which contain malicious attachments
• “Drive-by” downloading
• Via social media, such as Web-based instant messaging applications

Ransomware is so effective because its authors instill fear and panic in victims, causing them to click on a link, or pay a ransom – and sometimes infecting users’ systems with additional malware. Ransomware was one of the hot topics covered at our recent NextGen™ ONE User Group Meeting – and it’s been on people’s minds for a while now. In fact, in April 2016, I posted my first blog about ransomware.

How to handle ransomware threats
In this post, I will focus on the U.S. Department of Health & Human Services (HHS) guidance on ransomware. Your organization’s compliance with the Health Insurance Portability and Accountability Act (HIPAA) – and the HIPAA Security Rule – helps prevent infections of malware, including ransomware, via specific security measures. To view the required security measures, check out this HHS Fact Sheet.

Assessing and managing your risk
To protect your organization from ransomware, conducting an accurate risk analysis of vulnerabilities is mission critical. Check out the Security Management Process standard of the Security Rule to help you conduct an accurate and thorough analysis. You should examine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the electronic protected health information you create, receive, maintain, or transmit. Then, it’s your job to see how you can implement security measures sufficient to reduce identified risks to a reasonable and appropriate level.

Preparing for an attack
Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Your organization should periodically conduct test restorations to verify the integrity of backed-up data and provide confidence in your data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, your organization should consider maintaining backups offline and unavailable from your networks.

Implementing a data backup plan
It’s a Security Rule requirement for HIPAA-covered entities and business associates – as part of maintaining an overall contingency plan – to implement a data backup plan. Additional activities that must be included as part of an entity’s contingency plan include:
• Disaster recovery planning
• Emergency operations planning
• Analyzing the criticality of applications/data
• Periodic testing of contingency plans to ensure organizational readiness to execute plans and provide confidence they will be effective

For a list of processes that should be included as part of “robust” security incident procedures when responding to a ransomware attack, check out item three on this HHS Fact Sheet.

Detecting an attack
Unless your organization detects and halts the propagation of ransomware, you would typically discover its presence only after the ransomware encrypted user data, alerted you of its presence, and demanded payment. However, in some cases, your workforce may notice early indications of a ransomware attack that has evaded security measures.

HIPAA requires that your workforce receives appropriate security training, including training for detecting and reporting instances of malicious software, which can help you prepare staff to detect and respond to ransomware.

Responding to an attack
If your organization believes that a ransomware attack is underway, immediately activate your security incident response plan, which should include measures to isolate the infected computer systems in order to halt propagation of the attack. Additionally, contact your local FBI or United States Secret Service field office. These agencies work with federal, state, local, and international partners to pursue cyber criminals globally and assist victims of cybercrime.

Next steps if infected with ransomware
The presence of ransomware (or any malware) on computer systems is considered a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. HIPAA-covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes; these should be reasonable and appropriate to respond to malware and other security incidents, including ransomware attacks. For a list of suggested incident response activities, view item five on the HHS Fact Sheet.

Read more about how ransomware attacks have quadrupled in 2016.

If you have questions or want more information about ransomware, reach out to us.