- The WannaCry ransomware attack should serve as a strong reminder to healthcare organizations to maintain necessary data security measures, including proper employee training. Adhering to the OCR ransomware guidance will also help covered entities maintain HIPAA compliance in their efforts to prevent malicious malware attacks.
HHS sent an email reminder to that Healthcare and Public Health Sector (HPH) organizations about OCR’s guidance released in 2016.
“OCR presumes a breach in the case of ransomware attack,” HHS warned. “The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach.”
Additionally, asking law enforcement to hold reports tolls the 60-day reporting deadline.
“Reporting information to law enforcement, DHS, or other HHS divisions does not constitute inadvertent or intentional reporting to OCR,” the email noted. “All reporting of breaches to OCR should be made as required by the HIPAA Breach Notification Rule.”
If the incident involves unencrypted data – at least per NIST specifications – then OCR presumes a breach occurred due to the ransomware attack, HHS explained. From there, the covered entity or business associate will need to prove that the ePHI was in fact encrypted throughout the entire process. This includes before a ransomware attack and when the attack encrypted data again.
For example, the OCR ransomware guidance discusses a situation where an encrypted laptop “with a full disk encryption solution in a manner consistent with HHS guidance” is used by an authenticated user who then opens a malicious link that infects the device with ransomware.
“If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user,” the guidance explains.
“Because the file containing the PHI was decrypted and thus “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.”
The OCR ransomware guidance also underlines the importance of conducting a risk analysis, performing regular user training, and maintaining an overall contingency plan.
“Although there is a not a Security Rule standard or implementation specification that specifically and expressly requires entities to update the firmware of network devices, entities, as part of their risk analysis and risk management process, should, as appropriate, identify and address the risks to ePHI of using networks devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities.”
Proper HIPAA compliance can also help organizations recover from potential ransomware attacks, according to OCR.
For example, “maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack,” OCR notes.
“Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities,” the guidance urges. “Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.”
Furthermore, “robust security incident procedures” following a ransomware attack should include the following:
- Detect and conduct an initial analysis of the ransomware
- Contain the impact and propagation of the ransomware
- Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation
- Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations
- Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident
Any lessons learned should also then be incorporated into the overall security management process to prevent such incidents from recurring.
OCR also noted the importance of employee training for ransomware detection and working to ensure that such an attack does not happen in the first place.
“HIPAA’s requirement that an entity’s workforce receive appropriate security training, including training for detecting and reporting instances of malicious software, can thus assist entities in preparing their staff to detect and respond to ransomware,” the guidance states.
Overall, if an entity believes that a ransomware attack has occurred, it should activate its security incident response plan and contact its local FBI or US Secret Service field office.