Six Provisions of HIPAA Security Rule that Help Covered Entities Stop, Minimize, and Recover from Ransomware Attacks

Ransomware attacks are generally performed indiscriminately, since file-encrypting software programs are distributed in bulk spam email campaigns. Nevertheless, since 2017, ransomware attacks are a lot more targeted. Nowadays, cybercriminals choose targets that are more likely to pay the ransom.

Cybercriminal’s primary target are healthcare companies because of the large volumes of sensitive information, low threshold for system downtime, and high demand for information availability. They additionally have the money to pay ransom demands and most are protected by cybersecurity insurance plans. Insurance firms frequently opt to pay the ransom because it is cheaper compared to the cost associated with systems downtime and data restoration from backups.

Because more severe attacks happen more frequently, healthcare companies ought to make certain to have well-protected networks and policies and procedures that give a speedy response in case of an attack.

Ransomware attacks are becoming more sophisticated and new strategies and techniques are continually being created by cybercriminals to access networks and install ransomware. However, most of the attacks still employ proven techniques to give the ransomware payload. The most popular tactics of accessing healthcare networks are still phishing and exploiting vulnerabilities, like flaws unpatched apps and operating systems. By searching and fixing vulnerabilities and strengthening defenses against phishing, healthcare companies can stop all except the most advanced and determined attackers and maintain the security and operations of their networks.

The Department of Health and Human Services explained in its Fall 2019 Cybersecurity Newsletter that most ransomware attacks could be prevented by means of adopting HIPAA Security Rules. By means of HIPAA compliance, healthcare companies can ensure fast recovery in case of a ransomware attack.

Six provisions of the HIPAA Security Rule which are pertinent to securing, mitigating and getting back from ransomware attacks are the following:

Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))

Risk analysis allows healthcare companies to determine threats to the integrity, confidentiality, and availability of ePHI and mitigate those threats. Ransomware is frequently introduced by means of exploiting technical vulnerabilities., including unsecured, open ports, obsolete software, and awful access management/provisioning.

Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))

All risks identified should be managed and minimized to a low and tolerable level. Doing so will make it more difficult for attackers to be successful. Risk management consists of implementing anti-malware software, spam filters, web filters, intrusion detection systems, and robust backup systems.

Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D))

In case of a breach of an organization’s defenses, intrusions must be immediately detected. By performing information system activity checks, healthcare companies can identify anomalous activity and do something to minimize attacks in progress. Ransomware isn’t always installed upon network access. It could take days, weeks, or months, so doing a system activity check could identify a compromise before ransomware is deployed. Security Information and Event Management (SIEM) solutions may be helpful for doing activity checks and automating the review of logged activities.

Security Awareness and Training (45 C.F.R. §164.308(a)(5))

Phishing attacks often target employees, so it is important to have regular security awareness training for employees. It will help them identify phishing emails and malspam and learn to respond properly by reporting the threats to the IT security group.

Security Incident Procedures (45 C.F.R. §164.308(a)(6))

In case of an attack, a quick response can significantly limit the harm done by ransomware. There must be written policies and procedures, which are properly disseminated to all workforce members so that they know the proper response during an attack. Security processes must be tested to make sure of effectiveness in case of a security breach.

Contingency Plan (45 C.F.R. §164.308(a)(7))

There should be a contingency plan to ensure continuity of critical services and recovery of ePHI in case of a ransomware attack. This means that all ePHI must have backups. Covered entities should likewise test those backups to make sure of data recovery. Threat actors target backups systems to make it more difficult for covered entities to get back if the ransom is not paid. So, there must be at least one backup copy stored safely on a non-networked device or remote system.