- Healthcare organizations must be mindful of how they reduce cyber extortion risk because covered entities maintain sensitive data and provide necessary services, OCR stated in its January Cybersecurity Newsletter.
Cyber extortion often consists of cyber criminals demanding money from organizations in exchange for the criminals stopping their malicious activity. This activity could include stealing sensitive information or interrupting computer services, OCR explained.
Ransomware, denial of service (DoS) and distributed denial of service (DDoS) attacks are all prime examples of cyber extortion that could impact healthcare. OCR reiterated that it has provided guidance on these cybersecurity attacks before, but stressed that entities must regularly update their prevention and mitigation tactics.
“Another type of cyber extortion occurs when an attacker gains access to an organization’s computer system, steals sensitive data from the organization, and then threatens to publish that data,” the newsletter read. “The attacker uses the threat of publically exposing an organization’s sensitive data, which could include protected health information (PHI), to coerce payment.”
Additionally, attackers could potentially sell the stolen data even if a ransom is paid. Cyber criminals could also delete the information from an organization’s computers.
“Payment of the ransom is no guarantee that an organization will get its data back.,” OCR cautioned. “In fact, there have been instances where one attacker has stolen and deleted an organization’s data while leaving a demand for payment only to have a second attacker gain access to the same computer system and overwrite the payment demand of the first attacker.”
“In this circumstance, the second attacker didn’t even have the data, so the organization has no chance of retrieving data from the second attacker,” the agency continued.
Healthcare organizations must remain vigilant in their cybersecurity measures, OCR said. Cyber criminals are going to evolve in their methods, and entities cannot afford to fall behind.
Having a robust risk analysis and risk management program is one critical step, the agency stated. The risk management program should identify and address cyber risks holistically and throughout the entire organization.
OCR also said in its newsletter that organizations should implement “robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis.”
HIPAA regulations require a risk analysis as part of the administrative safeguard requirement.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS explains on its website.
Adjustments should also be made as more technology is introduced. New connected medical devices or even cloud storage options could impact how ePHI is stored and subsequently affect the risk analysis.
Employee training is also critical for reducing cyber extortion risk, OCR said in the newsletter. Staff members should be able to “identify suspicious emails and other messaging technologies that could introduce malicious software into the organization.”
Employees being properly trained in cybersecurity measures is often a common concern of healthcare executives. Eighty percent of health IT executives and professionals said employee security awareness was their greatest data security concern, according to a 2017 HIMSS Analytics survey.
Eighty-five percent of respondents added that their organization uses an internal/employee security awareness program, but employee awareness training was still one of the top five barriers to adopting a comprehensive security program.
In addition to creating training and risk management programs, healthcare organizations must consider technical safeguards, OCR stated in the newsletter.
Anti-malware solutions, patching system vulnerabilities, data encryption, and data backups are all critical steps for reducing cyber extortion risk.
Entities should also harden their internal network defenses and ensure they are “limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software,” the agency said.
“Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack,” will help organizations reduce their changes of being a cyber extortion victim.
Additionally, robust audit logs should be implemented. Healthcare organizations need to regularly review their audit logs for any suspicious activity.
Signing up to receive US-CERT alerts and participating in information sharing organizations can also be beneficial because it will help entities stay educated on the latest cyber threats and vulnerabilities.
A strong risk management approach and updating potentially vulnerable software were also cited as key steps for healthcare organizations to take following the Spectre and Meltdown vulnerabilities.
The Healthcare Cybersecurity and Communications Integration Center (HCCIC) urged Healthcare and Public Health (HPH) entities in a January 2018 release to monitor medical device security and personally identifiable information (PII) stored in the cloud.
The Meltdown and Spectre vulnerabilities could circumvent certain protections and expose “nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications,” NH-ISAC researchers found.
HCCIC cautioned that PHI or PII leakage from web browsers could occur, and healthcare entities should be wary of the possibility of service degradation and/or interruption from patches.
“Medical devices and supporting medical equipment, may not resemble computers, but may run operating systems (Windows, Linux, etc.) on processors that could be vulnerable to Meltdown and Spectre,” HCCIC said. “Contact medical device manufacturers through security portals, if available, for information specific to each medical device and the manufacturer’s recommendations for patching medical devices.”
Whether the threat is cyber extortion, malware, or another type of cybersecurity issue, healthcare organizations must remain vigilant in their data security measures. A comprehensive and current risk management plan, regular employee training, and a disaster recovery plan will all be key tools to maintain PHI security.