OCR Guidance on Preventing, Mitigating, and Responding to Ransomware
The HHS Office for Civil Rights (OCR) released its Fall Cybersecurity Newsletter, "What Happened to My Data? Update of Preventing, Mitigating and Responding to Ransomware." (December 2, 2019)
OCR defines ransomware as a type of malicious software (or malware) that attempts to deny access to a user's data, usually by encrypting the data with a key known only to the attacker who deployed the ransomware. Generally, in order for a victim to obtain this key, a ransom payment, which is usually made in cryptocurrency, is required.
These types of attacks pose a serious threat to HIPAA-covered entities, business associates, and the electronically protected health information (ePHI) that they hold.
Prevention, Mitigation, and Recovery
According to OCR, while bad actors have employed new means for identifying victims, their overall methods of gaining unauthorized access to systems and deploying ransomware remain generally the same. Phishing emails and vulnerability exploitation (e.g., exploiting unpatched operating system or application vulnerabilities) continue to be the most common attack vectors.
OCR mentions that proper implementation of several HIPAA Security Rule provisions can help covered entities and business associates prevent, mitigate, and recover from ransomware attacks. Here is a breakdown of each.
Security Risk Analysis (SRA) and Risk Management
Under the HIPAA Security Rule, covered entities and business associates are required to conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of their ePHI, and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Yet, a failure to do or a lacking SRA continues to be the number one deficiency year after year.
Identifying and reducing potential risks and vulnerabilities is key to making an organization a less inviting target and is crucial to preventing ransomware attacks. From there, it's just as important to ensure effective security tools such as anti-malware software and intrusion detection/prevention solutions are installed to help prevent, detect, and contain attacks.
Information System Activity Review
Covered entities and business associates are required to regularly review records of information system activity. Such records can include audit logs, access reports, and security incident tracking reports.
Effective system monitoring and review is critical to detecting and containing an attack. Identifying anomalous activity, especially if the activity is executed with elevated privileges, can be crucial to identify an attack in progress.
Security Awareness and Training
Perhaps just as important as an SRA, having a security awareness and training program place is a must. This is because information system users remain one of the weakest links in an organization's security posture. OCR goes on to say that social engineering, including phishing attacks, is one of the most successful techniques used by threat actors to compromise system security.
A training program should make users aware of the potential threats they face and inform them on how to properly respond to them. This is especially true for phishing emails that solicit login credentials. Additionally, user training on how to report potential security incidents can greatly assist in an organization's response process by expediting escalation and notification to proper individuals.
Security Incident Procedures
An organization's incident response procedures can greatly limit the damage caused by a ransomware attack. Organizations may consider addressing ransomware attacks specifically within its response policies and procedures as mitigation actions may vary between different types of incidents. Quick isolation and removal of infected devices from the network and deployment of anti-malware tools can help to stop the spread of ransomware and to reduce the harmful effects of such ransomware. Response procedures should be written with sufficient details and be disseminated to proper workforce members so that they can be implemented and executed effectively.
Further, organizations may consider testing their security incident procedures from time to time to ensure they remain effective. Familiarity with the execution of security incident procedures should reduce an organization's reaction time and increase its effectiveness when responding to an actual security incident or breach. Identifying and responding to suspected security incidents is key to mitigating potential harm following an intrusion.
An effective and robust contingency plan is essential to recover from a ransomware attack. Proper implementation of this provision will allow an organization to continue to operate critical services during an emergency and recover ePHI. Because patient health and safety may be impacted, tolerance of system downtime is low, and ePHI availability requirements are high. A covered entity or business associate must backup ePHI and ensure that it is accessible and recoverable in the event of a ransomware attack.
Organizations should keep in mind, that threat actors have recently been actively targeting backup systems and backup data to prevent recovery. Maintaining recoverable, secure, and up-to-date backups are one of the most important safeguards against ransomware attacks.
Additional Security Rule Provisions
OCR mentions the following additional Security Rule Provisions that should be considered:
- Implementing effective access controls to stop or impede an attacker's movements and access to sensitive data; e.g., by segmenting networks to limit unauthorized access and communications. Further, because of attacks frequently seek elevated privileges (e.g., administrator access), entities may consider solutions that limit the scope of administrator access, as well as solutions requiring stronger authentication mechanisms when granting elevated privileges or access to administrator accounts.
- Ensuring that security measures remain effective as technology changes and new threats and vulnerabilities are discovered (e.g., by updating or patching software and devices to mitigate known vulnerabilities).
While the emergence of targeted attacks shows that threat actors are adapting to steps taken by organizations to combat the risk of ransomware infections, OCR believes the implementation of the robust security measures required by HIPAA can prevent or greatly reduce the impact of ransomware attacks.
Have Additional Questions?
We can help. Contact us by email: firstname.lastname@example.org or by phone: 855-427-0427.