A big takeaway from the HHS is the importance of taking appropriate actions beforehand to mitigate the potential of damage caused by ransomware.
A version of this article was first published November 16, 2020, by HCPro's Credentialing Resource Center, a sibling publication to HealthLeaders.
Although ransomware is not a new phenomenon, a recent increase in reported attacks, along with several well-publicized cases, have raised the public's awareness of the threat it poses.
Ransomware can be incredibly damaging because it is designed to infect a system, find and encrypt the system's data, and lock out users until they pay a ransom—typically in an anonymous electronic currency like bitcoin—to regain access through a decryption key.
U.S. Department of Health and Human Services (HHS) guidance states that healthcare entities can better protect against ransomware by implementing security measures required by the HIPAA Security Rule.
According to the guidance, these measures include limiting access to electronic protected health information (PHI) to personnel and software that require it; and conducting risk analyses to identify threats and vulnerabilities to PHI.
A big takeaway from the HHS is the importance of taking appropriate actions beforehand to mitigate the potential of damage caused by ransomware. Unlike malware that simply transfers PHI without authorization, ransomware makes the PHI unavailable or destroys it altogether.
To better prevent ransomware, all staff should be appropriately trained on email and web security as most malware and ransomware comes from those sources says Justin Jett, director of compliance and auditing at Plixer International, a security analytics company based in Kennebunk, Maine.
Additionally, companies should invest in heightened email security solutions, like anti-spam firewalls, which will help prevent the most obvious attacks from getting to employees' inboxes.
HHS guidance suggests that since HIPAA requires the workforces of covered entities to receive security training on detecting and reporting malware, employees can assist with early detection of ransomware by spotting indicators of an attack. These warning signs could include unusually high activity in a computer's CPU as the ransomware encrypts and removes files, or an inability to access files that have been encrypted, deleted, or relocated.
Even if hospitals are vigilant, ransomware attacks may still occur. Again, the guidance suggests that HIPAA compliance may help hospitals recover from ransomware attacks due to HIPAA's mandate for frequent backups of data.
Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City, warns, however, that some variants of ransomware can lie dormant for a period of time in order to migrate across systems, including into data backups.
Many hospitals and companies keep hot backups as part of their disaster recovery plan. These backups can be automatically or manually switched on if a system goes down.
If ransomware has infiltrated a backup, the backup's data could also become compromised and encrypted by the ransomware as soon as it's activated.
"The important thing about dealing with the impact of ransomware is that it may require additional or different protections compared to what other malware requires to avoid or mitigate its ill effects," says Goldstein.
The Credentialing Resource Center (CRC) is the premier destination for credentialing, privileging, and peer review expertise. Membership provides MSPs, quality professionals, and medical staff leaders with a collection of continuously updated tools, best practice strategies, and compliance tips developed by industry experts. With three membership tiers, you can customize your access level depending on your education and training needs. Learn more.