Recent months have seen a wave of ransomware attacks in the US healthcare industry, many involving a sophisticated strain of malware called Ryuk. To protect themselves, healthcare providers should review OCR’s recent guidance on preventing, mitigating and responding to ransomware attacks, which we outline here.
Recently, an alarming number of ransomware attacks have targeted and disrupted the US healthcare industry. Many of the attacks involve a sophisticated and destructive strain of malware called Ryuk. Ransomware attacks can prevent healthcare providers—ranging from large health systems to small medical practices—from accessing critical data needed to treat patients and maintain normal business operations. Consequently, ransomware attacks can have potentially devastating effects on patient safety and cause financial and reputational damage to afflicted healthcare providers. Healthcare providers should ensure that their information security teams are well positioned to protect and defend their organizations against such attacks.
What Is a Ransomware Attack?
Cyber-attackers use ransomware, a type of malware (i.e., malicious software), in an attempt to extort an organization by freezing access to its own data. Typically, ransomware locks down electronic data files by encrypting them with a decryption key known only to the attacker. The attacker then demands the organization pay a ransom in exchange for the decryption key.
Ransomware often enters an organization when a user clicks a malicious link or downloads an infected file. According to the US Computer Emergency Readiness Team (US-CERT), ransomware “typically spreads through phishing emails or by unknowingly visiting an infected website.” It can be challenging for an organization to detect ransomware when it is initially deployed on its information systems. In fact, the United Kingdom’s National Cyber Security Centre (NCSC) issued an alert on June 22, 2019, advising that Ryuk, in particular, “is often not observed until a period of time after the initial infection—ranging from days to months—which allows the actor to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximizing the impact of the attack.”
Ransomware attacks can cause an intense level of disruption to a healthcare provider’s operations that rely on its information systems. Without access to patients’ electronic medical records, healthcare providers may be forced to delay or cancel patient appointments and procedures, potentially endangering the patients’ safety. A ransomware attack can also cripple a healthcare provider’s revenue cycle management processes and prevent the provider from timely capturing revenue. Moreover, a healthcare provider may need to expend a significant amount of effort and coordination with internal stakeholders, including its:
information security, IT, legal department and senior executives;
external advisors, consultants, forensics vendors, and outside legal counsel; and
law enforcement agencies.
Even healthcare providers with sophisticated data backup and disaster recovery processes may be compelled to pay a ransom to the cyber-attacker to obtain a decryption key because doing so can be more expedient and less resource intensive than restoring the patient data from backups. For these reasons, healthcare providers can face tremendous pressure to negotiate and pay a ransom in order to resume providing vital patient services, notwithstanding the FBI’s warning that there is no guarantee that a criminal attacker will in fact provide a decryption key that will enable full restoration of the encrypted data after receiving a ransom payment.
OCR cautions that “ransomware attacks often occur after prior instances of unauthorized access and malware infection.” For example, cyber-attackers will frequently launch a ransomware attack only after successfully exploiting an organization’s lapses in security controls to gain privileged access to its information systems. OCR observes that by appropriately implementing the Security Rule, HIPAA-covered entities and their business associates will be well situated to prevent and respond to ransomware attacks. In particular, OCR highlights compliance with the following Security Rule provisions as instrumental to a HIPAA-regulated entity’s ransomware prevention, mitigation and recovery efforts:
Risk Analysis and Risk Management. The Security Rule requires HIPAA-regulated entities to perform an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic PHI (ePHI) and reduce any identified risks to reasonable and appropriate levels. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.308(a)(1)(ii)(B)). OCR observes that “identifying and addressing technical vulnerabilities within information systems and information technology infrastructure” through the risk analysis and risk management process is an important step in the prevention of ransomware attacks. Successful ransomware attacks will often exploit technical vulnerabilities, such as outdated or unpatched software, unsecured ports, inadequate access controls and user authentication mechanisms, and the absence of anti-malware software solutions.
Information System Activity Review. In the event that ransomware enters an organization, OCR finds that “effective system and monitoring and review will be critical to detecting and containing” the ransomware attack. The Security Rule requires HIPAA-regulated entities to maintain and regularly review records of information system activity, such as audit logs and access reports. (See 45 C.F.R. § 164.308(a)(1)(ii)(D)). OCR states that regular review of information system activity records can facilitate the identification of anomalous activity associated with a ransomware attack, such as suspicious activity performed by a user account with elevated privileges.
Security Awareness and Training. OCR warns that “information system users remain one of the weakest links in an organization’s security posture.” For this reason, it is crucial for HIPAA-regulated entities to sufficiently train workforce members on their policies and procedures for complying with the Security Rule, as well as administer ongoing security awareness reminders and programs. (See 45 C.F.R. § 164.308(a)(5)). For example, HIPAA-regulated entities might consider holding training sessions focused on social engineering, educating workforce members about identifying and reporting suspicious system activity, and conducting phishing simulation exercises.
Security Incident Procedures. The Security Rule requires HIPAA-regulated entities to maintain written procedures for identifying and responding to security incidents involving ePHI. (See 45 C.F.R. §164.308(a)(6)). Because an “organization’s incident response procedures can greatly limit the damage caused by a ransomware attack,” OCR recommends that HIPAA-regulated entities specifically address ways to mitigate and respond to ransomware attacks in their written security incident procedures. OCR also suggests that entities periodically test their security incident procedures to promote their continued effectiveness.
Contingency Plan. Under the Security Rule, HIPAA-regulated entities must document and test a contingency plan that establishes strategies for recovering access to ePHI in the event of an emergency, natural disaster or other disruption to information systems. (See 45 C.F.R. §164.308(a)(7)). Data backup and disaster recovery procedures are key elements of a Security Rule contingency plan. Because the availability and integrity of ePHI is of utmost importance to patient health and safety, OCR recommends continually backing up ePHI and ensuring that the ePHI can be restored from up-to-date, accurate backups if a ransomware attack occurs. Notably, OCR advises that backups of ePHI may also be susceptible to ransomware, and that “threat actors have recently been actively targeting backup systems and backup data to prevent recovery.” Accordingly, organizations should consider maintaining offline backups of ePHI that are disconnected from their networks.
If your organization would like assistance with preventing or responding to ransomware attacks, don’t hesitate to reach out to the authors of this On the Subject or your regular McDermott lawyer.