- Healthcare organizations of all sizes need to ensure that they are regularly updating their technological, administrative, and physical safeguards as cybersecurity threats continue to evolve. This is particularly true when it comes to hospital ransomware procedures, as this type of cyber attack has the potential to force a healthcare provider to change its daily operations or alter patient care.
Regular staff training and updated technological tools, such as anti-virus and workstation monitoring, are key tools for healthcare organizations, according to Edward Zacharias, a partner at McDermott Will & Emery LLP.
There is much discussion over whether smaller providers are able to put themselves in the same position from a technology perspective as larger facilities are, said Zacharias, who is also in the firm’s health information technology and data protection practice. Since some of the larger healthcare organizations may have more resources at the disposal, the question is often asked if the other entities are more vulnerable to threats.
While that may be a small component to the seemingly increase in healthcare ransomware attacks, Zacharias said it is not necessarily the primary driver.
“If you look at where ransomware attacks originate, for the most part, it’s through phishing or spear phishing scams,” he told HealthITSecurity.com. “Really, the common denominator in a lot of these cases is human error.”
From an administrative perspective, one of the most critical things that any organization can do to prepare against potential cybersecurity threats is user training and awareness, Zacharias said.
Everything from teaching employees to not click on links in suspicious emails, to only use USB drives issued by the organization, and to not download information from strange internet sites onto their desktop are all good practice.
“Anytime a new workforce member is hired, they’re required under HIPAA to have certain training regarding privacy and security requirements,” Zacharias explained. “With new hires, you want to train them as soon as possible when they’re hired. The training needs to be aligned with the organization’s policies and procedures.”
For example, different healthcare entities will likely need to incorporate specific policies and procedures that align with their size and culture.
There is not a “magic number” in terms of the frequency of employee education and training, he said, but this will also depend on the specific covered entity or business associate.
It’s important to find the right balance, because an organization does not want to provide training so frequently that it becomes a burden for the workforce and they stop paying attention. At the same time, it should not be so infrequent that it’s not at the top of employee’s minds. It’s a balancing act that will depend on organization size and culture.
Implementing current technical safeguards
Along with the administrative side, Zacharias also underlined the importance of ensuring that all technical tools are up to date.
“Oftentimes from a technological perspective, particularly in the ransomware field, the point of contact is a single workstation or a single application,” he explained. “The scope starts out pretty small.”
This is why covered entities cannot take basic cyber hygiene for granted. Regular anti-virus, anti-malware, and firewalls will all be essential.
Beyond that, organizations want to be able to monitor in fairly real time, or receive frequent reporting about user habits with respect to individual work stations. That way, a facility can see any patterns that are out of sync.
For example, if an employee regularly logs in between Monday and Friday, from 9 a.m. to 5 p.m., but all of a sudden he is logging in on the weekends at 3 a.m., that is an anomaly an organization may want to investigate.
“You need to have some sort of reasonable monitoring capabilities,” Zacharias urged. “You want to identify them early. If you can separate and firewall off an infected workstation, or IT equipment or application software, you’re going to be in a better position to really maintain the bulk of your system in an operational manner.”
Having good, frequent backups is also important for healthcare organizations of all sizes, he added. While a system backup will not guarantee that information will not be sold on the black market, it can at least ensure that an organization will not be locked out of their own information. The data can be reincorporated back into the system and regular operations can hopefully resume.
Zacharias also said that entities should have a strong map of their various systems, and understand which ones are the most critical. That way should something happen, and one system needs to be taken offline, the organization knows how long it will take to bring that system back online again.
“You need to have a good understanding of your overall system architecture and understanding what the critical systems are and where you have redundancies.”
Are ransomware attacks HIPAA breaches?
There has been some debate over whether or not a healthcare ransomware attack should necessarily be considered a HIPAA data breach.
The key thing to remember, according to Zacharias, is the way the breach statute works currently. Under the definition, any type of unauthorized use or disclosure of PHI, unless it meets an exception – which ransomware would not fall into – it is presumed by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to be a breach.
There is an automatic presumption that there is a breach, and the only way to navigate out of a notification event is going through a risk analysis, he added.
“One of those factors is the unauthorized person who may have the information,” Zacharias explained. “In the case of a ransomware attack, the fact that you have a cyber criminal who has accessed the information, that factor is a critical one in the analysis. Obviously, there are facts and circumstances that could sway it one way or another. It is on a case by case analysis, but that’s probably a pretty challenging barrier to overcome in terms of demonstrating that there is a low probability of compromise.”