- Performing regular system updates, conducting annual employee training, and ensuring comprehensive backup plans with disaster recovery planning are all key tools in preparing for healthcare ransomware attacks, according to Matt Fisher, chair of Mirick O’Connell’s Health Law Group.
They are also key parts to the HIPAA Security Rule.
Ransomware has been a very large threat to healthcare organizations because they can often be seen as vulnerable targets, Fisher told HealthITSecurity.com. It certainly seems as though covered entities predominate the news when it comes to successful attacks, which certainly leads to the suggestion that not enough attention or focus is being put onto appropriate cybersecurity measures.
“Even beyond the perceived vulnerabilities, whether those are actual or not, the value of medical information is higher than any other information that can be obtained,” Fisher explained. “It really makes healthcare entities a very ripe target, with the high return on value for those carrying out the attacks. I hate to say it, but it seems like it’s a good investment for those bad actors.”
However, covered entities and their business associates can prepare for potential cybersecurity attacks.
Organizations should make sure their systems are up to date, whether that means performing upgrades or implementing patches. Making sure that each component of the system, to any extent possible, is as current as possible will be greatly beneficial.
“In addition to having updated systems, it’s also beneficial to monitor what is going on within a system,” Fisher said. “Whether it be looking for suspicious emails or suspicious activity, you then need to be able to quickly respond to or isolate that activity. Even if you can’t prevent an attack, at least if you can limit the extent of it, or the length of time in which it can occur, you can begin to mitigate those potential damages or potential harm that’s coming out of it.”
If there has been a successful attack, entities need to try and lock down the system as quickly as possible to stop further spread of harm. Furthermore, as required under HIPAA regulations, a good disaster recovery plan and comprehensive data backup should also be the top of an organization’s security priorities.
“Arguably you should be able to not have to go the route of trying to pay the ransom on a successful ransomware attack,” Fisher stated. “You can just get your system going again from the most recent backup.”
Implementing regular employee education and training
Employee training is a critical tool for any healthcare organization as they work to prevent, mitigate, and react to potential ransomware attacks.
It is recommended as part of good HIPAA compliance to conduct at a minimum, annual employee training, as well as training upon hire.
“If you have individuals who are aware of what threats are out there in the landscape and how to go about responding or reporting any concerns within an organization, that can certainly help,” he explained.
Training could be constituted in a few different ways, Fisher added. First, alerts can be sent out within an organization that explain what new threats might look like and how they might attempt to infiltrate a company. Providing current information like that can prevent an employee from clicking on a bad link or opening a bad email because it “appeared okay.”
Alert emails can also be paired with regular follow up trainings, especially if there have been some significant developments in types of potential cybersecurity threats.
Fisher discussed how at his own law firm, the IT department sends out those types of updates. The emails explain what IT has learned about new variants of ransomware, malware, or other types of bad applications.
“Seeing something like that is a very good and easy way to be able to learn what the threats are and then hopefully able to identify them,” Fisher said.
Having a dedicated computer that is not connected to the main system or network to receive potential threats can also be helpful.
“With my firm, if anyone has a question about an email, we can forward it to our IT department, and they have a dedicated computer, not connected to our system, that they can then open it on,” he explained. “That way if there is an attack, if there is ransomware embedded in an email, it’s locked up in a computer we don’t care about and doesn’t have any of our sensitive information on it.”
Understanding OCR’s ransomware guidance
The recent OCR ransomware guidance is definitely a step in the right direction for preventing and understanding possible cybersecurity attacks, Fisher stated.
“It helped clarify where there was arguably some confusion in how HIPAA interacts and applies to a ransomware attack,” he said.
A key takeaway though was that OCR maintained that a ransomware attack may constitute a HIPAA data breach, but it is not a given.
“It’s pretty well established at this point, if there is an inappropriate use or access of unsecured PHI, then it’s presumed that a breach has occurred unless you can determine one of the exceptions to the definition of a breach applied,” Fisher pointed out. “Or, if an organization goes through the risk assessment and it can determine there’s a low probability of compromise.”
Fisher acknowledged that he could see both sides of the argument in whether or not a ransomware attack should be considered a HIPAA data breach. Even so, he added that he agreed with the OCR guidance in that each situation needs to be fully evaluated.
“There are a lot of factors, such as what variant of ransomware is occurring, how well you can investigate what happened, when the ransomware was in place,” Fisher continued. “There are a lot of factors just like in any situation that would arguably result in potential breaches.”
Healthcare organizations will need to approach situations on a case-by-case and fact-by-fact basis, he said.
“It shouldn’t automatically always be a breach, but you have to figure out by doing an appropriate investigation what the actual access or exposure may have been.”
The guidance also was helpful in discussing the general protective measures in the HIPAA Security rule, such as disaster recovery, backup plans, and staff training.
“A lot of these components form a good foundation of a solid security plan,” noted Fisher. “This is somewhat suggested in the guidance, but HIPAA is really a baseline when it comes to a cybersecurity or any type of security plan. You really need to focus on building up from that foundation.”
HIPAA is designed to be flexible, and it’s recognized that the rules predate the contemplation of some of the existing threats and issues, he said.
“The Security Rule forms a great foundation, but if you really want to be secure, you need to go above and beyond.”
Ransomware specifically is clearly a very serious problem, Fisher stated. However, if an organization has a solid security plan in place, is trying to monitor and detect issues to be able to respond properly, those good faith efforts can go a very long way.
“If the industry as a whole can make it feel like it’s tougher to penetrate those defenses, that might also start to deflect some of the primary attention of these attackers away from healthcare, to what the attackers might view as easier targets.”