We’ve talked about ransomware more than a few times on our blog and newsletter. It’s a horrible type of malware that will hold your data hostage until you pay a price to get it back. If you’re a HIPAA-covered entity or you work with HIPAA-covered entities as a business associate, you need to pay extra attention to ransomware protection because if you get infected, you may have to report it. Read on for all the details.
The US Department of Health and Human Services Office for Civil Rights recently released new guidance on ransomware. Their downloadable fact-sheet is a must-read for any security officer. It covers a lot of ground, but here’s the key, taken straight from the fact sheet:
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Long story short: If the ransomware accesses ePHI, you’ll very likely need to report it under the HIPAA Breach Notification Rule and take steps to mitigate and investigate the incident.
Even if you feel there is a very low probability of compromise, the risk assessment and investigation must be very thorough to prove that fact. It’s going to be a lot of work, either way.
So what to do? Unfortunately, there is no 100% ransomware prevention tool. Like any malware or virus, there are lots of different vectors that ransomware can use to infect your system, so you need to go with a multi-tiered approach:
- Be Educated: Most ransomware gets into systems because of actions taken by unaware or uneducated staff. You can have all the protection in-place you want, but sometimes things get through and the better you are at knowing suspicious signs the less likely you are to open an infected attachment or follow a bogus web link. Although many companies allow full personal use of company computers this also creates risk to the business if they access personal-use web sites, personal email accounts, bring in personal files, etc… . The latest ransomware infection we saw was from a non-medical client where an employee opened up their personal webmail account and opened up a suspicious attachment that was a macro-enabled Word document (which are bad news). A policy of non-personal use of computers would have prevented this infection, but also training you staff on suspicious signs should also be a standard practice.
- Up-to-Date Anti-virus: Make sure you’re using up-to-date, centrally managed and monitored anti-virus that will alert on infections so the machine can be pulled off the network before causing additional damage. If an infection does occur, have your IT team research the variant of infection and ways to minimize either possibility of infection in the future or the impact of infection if prevention is not possible/feasible.
- Gateway Malware and Anti-Virus Protection: Ideally, malware and virus code would get shut down before it even makes it onto your network. You need a good firewall that has protections in-place for that sort of thing. That’s the idea behind WestonShield, Weston’s managed firewall service which provides a Sonicwall firewall with all security features enabled (including malware protection as well as monitoring and intrusion protection) for a flat monthly fee.
- E-mail Spam and Virus Protection: A very common method for these types of infections is via malware-carrying e-mail attachments. The best route for email protection is to have your email scanned by a service before it is delivered to your inbox. This is the type of service we offer with our WestonBlock comprehensive email protection. Keep in mind this type of service will not work if your staff access a web-based personal email system or social media site.
- Content Filtering: Another very common way that ransomware can get onto your system is via infected or not-work-friendly web sites. Blocking access to those websites is key.
- Patch Your Systems: The HIPAA security rule requires you to protect patient information with system patches and updates. Managed patching services can help eliminate this headache and making sure a patching isn’t going to bring down your network.
- Have Good Backups and a Business Continuity Plan: Despite your best efforts, there’s always a chance you’ll get infected. If you are to get infected, you’ll want to get back up and running as soon as possible to avoid further damage to the bottom line and to your patients’ confidence. A good business continuity plan can cure a lot of ailments.