The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued new HIPAA guidance [PDF] regarding ransomware.
“The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on horspitals,” OCR director Jocelyn Samuels wrote in a blog post announcing the guidance, which notes that there have been an average of 4,000 daily ransomware attacks since early 2016, a 300 percent increase over the 1,000 daily ransomware attacks reported in 2015.
In response, the guidance notes, the HIPAA Security Rule requires implementation of several security measures including the following:
- implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
- implementing procedures to guard against and detect malicious software;
- training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
- implementing access controls to limit access to ePHI to only those persons or software programs requiring access.
“Organizations need to take steps to safeguard their data from ransomware attacks,” Samuels wrote. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable processes that reasonable and appropriate to respond to malware and other security incidents.”
Webroot security intelligence director Grayson Milbourne told eSecurity Planet by email that hackers are able to benefit from the fact that hospitals run on a tight budget, and IT infrastructure is often a lower priority than affording new medical devices and staff.
“They retain detailed patient records that are attractive to hackers, and vulnerable to a ransomware attack,” Milbourne said. “They are difficult to secure due to poor physical security, because physical access to systems adds an additional vector for attackers to break in. Additionally, medical devices run on a wide variety of OS versions, making patch management and security updates more challenging. This type of threat landscape can cause the perfect cybersecurity storm.”
“In preventing attacks, the new HIPAA guidance is big a step forward,” Milbourne added. “However, hospitals must address many variables. While technology identifying such attacks does exist, it needs to be within budget. Beyond that, physical access to systems and devices remains a big problem. User education is always valuable, but most hospitals struggle with high turnover.”
A recent Tripwire survey of more than 400 information security professionals found that 56 percent of respondents identified ransomware as one of the top three security concerns at their organizations, and fully 93 percent believe ransomware attacks will continue to escalate in 2016.
Still, just 32 percent said they were “very confident” that their companies could recover from a ransomware infection without losing critical data.
“Ransomware delivers a great return on investment, so it’s not surprising that it is expected to be a growing problem for the foreseeable future,” Tripwire senior security research engineer Travis Smith said in a statement. “While prevention is the goal for every organization, being able to respond to an infection is every bit as important.”
“Following the 3-2-1 backup rule is a good first step to prepare for a ransomware infection,” Smith added. “You will need to have three copies of your data on two different types of media, with at least one of those copies being stored off-site. Organizations should continually test recovery procedures on these backups to keep the cost of restoring data as low as possible.”
A recent eSecurity Planet article offered advice on how to remove potential ransomware attack vectors.