What is Ransomeware and how to I prevent it?
Ransomware is a type of malicious software (or malware) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the attacker who deployed the ransomware. In order for a victim to obtain this key, a ransom payment, which is usually made in cryptocurrency, is required. These types of attacks pose a serious threat to HIPAA covered entities, business associates, and the electronic protected health information (ePHI) that they hold. Ransomware prevention consists of deploying a series of measures under the HIPAA Security Rule.
Are Ransomware Prevention Measures Required?
Ransomware prevention techniques reduce the likelihood that an organization will fall victim to a ransomware attack. Adoption of these techniques does not only reduce the likelihood of a ransomware attack; the techniques are required under the HIPAA Security Rule. The HIPAA Security Rule requires covered entities and business associates to adopt administrative, technical, and physical safeguards, to ensure the confidentiality, availability, and integrity of electronic protected health information.
Ransomware attackers are constantly developing new ways to identify and target specific victims. However, the methods through which the attackers gain access to information systems and deploy ransomware have remained the same. These methods include use of phishing emails, and exploitation of information system vulnerabilities (e.g., exploiting unpatched operating system or application vulnerabilities). Several ransomware prevention techniques can be used to secure a system from access by an attacker.
Ransomware Prevention Measure #1: Risk Analysis and Risk Management
Under the HIPAA Security Rule, covered entities and business associates must perform a risk analysis. A risk analysis is a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Risk analysis is a ransomware prevention technique. By completing such an analysis, an entity will discover what the vulnerabilities and risks that leave it susceptible to a ransomware attack are.
Upon completion of the risk analysis, covered entities and business associates must then perform risk management. Risk management is another ransomware prevention technique. Risk management consists of implementing security measures to reduce the potential risks and vulnerabilities identified in the risk analysis.
Ransomware Prevention Measure #2: Information System Activity Review
If ransomware can penetrate an organization’s first level of defenses and enter the organization’s network and information systems, effective system monitoring and review is of critical importance, to detect and contain the attack.
An effective system monitoring and review program, can allow an organization to identify anomalous or suspicious activity. The ability to identify anomalous or suspicious activity allows an organization to identify an attack that is already in progress.
The Security Rule’s administrative safeguard provisions require that covered entities and business associates regularly review records of information system activity. Such records can include:
- Audit logs;
- Access reports; and
- Security incident tracking reports.
Organizations can avail themselves of Security Information and Event Management solutions, to assist with the review process. These solutions aggregate and help to analyze logs and reports from many different information systems. Some organizations may benefit from tools to assist with log collection and review processes.
Ransomware Prevention Measure #3: Security Awareness and Training
IT professionals are fond of the acronym “PICNIC,” which stands for “Problem in Chair, Not in Computer.” Users of an information system remain a weak spot in an organization’s security posture.
The Security Rule’s administrative safeguard provisions require organizations to implement a security awareness and training program for all members of the workforce, including management.
While the Security Rule does not mandate any particular course or method of training, as a practical matter, a comprehensive training program should include at least the following measures:
- Training users to be aware of the potential threats they face.
- Training users as to how to respond to potential threats.
- Training users as to how to guard against, detect, and report malicious software.
- Training users as to how to log in to information systems
- Training users as to how to create, change, and safeguard passwords.
Training materials should be reviewed periodically, as well as each time there is a change to HIPAA rules or OCR guidance. Training to reflect changes to rules and guidance should also be conducted periodically.
Ransomware Prevention Measure #4: Security Incident Procedures
An organization’s incident response procedures can greatly limit the damage caused by a ransomware attack. The various types of ransomware attacks can each be the topic of a specific response policy.
A response policy should address how to isolate and remove infected devices from the network. The policy should also cover how various antimalware tools should be deployed, to stop the spread of ransomware.
Response procedures should be written with sufficient details and be disseminated to proper workforce members so that procedures can be implemented and executed effectively.
Further, organizations should consider testing their security incident procedures from time to time to ensure they remain effective. Testing consists of deliberate placement of a threat into a security environment, to determine the effectiveness of existing security procedures. Employee familiarity with the execution of security incident procedures should reduce an organization’s reaction time, and increase its effectiveness when responding to an actual security incident or breach.
Ransomware Prevention Measure #5: Contingency Plans.
Having an effective contingency plan aids an organization in its efforts to recover from a ransomware attack. A contingency plan should identify a business’s critical services, and should define what an acceptable downtime for those systems should be in the event of an emergency.
Proper implementation of a contingency plan will allow an organization to continue to operate critical services during an emergency and recover ePHI. Because patient health and safety may be impacted, tolerance of system downtime is low and ePHI availability requirements are high. A covered entity or business associate must backup ePHI and ensure that it is accessible and recoverable in the event of a ransomware attack.