Ransomware attacks are increasingly prevalent in the healthcare community. Ransomware attacks use malicious software to gain access to a computer system, usually disabling the system, until an amount of money is paid. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance advising organizations on how to protect themselves against these types of attacks.
How to Mitigate Your Risk of Ransomware Attacks
The former director of the OCR, Jocelyn Samuels, made the following recommendations:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a remediation plan to mitigate those identified risks
- Implementing procedures to safeguard against malicious software
- Training authorized users to detect malicious software and reporting such detections
- Limiting access to ePHI to only those persons or software programs requiring access
- Maintaining an overall contingency plan that includes disaster recovery, emergency operation, frequent data backups, and test restorations
- Understanding ransomware, how it works, and knowing how to spot the signs
- Implementing security incident responses and mitigating the consequences of ransomware
The lack of device monitoring in the healthcare space, has contributed significantly to the ransomware problem. With the growing number of devices that connect to the internet, allowing these unmonitored devices to be connected to your network puts the entire system at risk, Seri states, “Healthcare and manufacturing environments are rampant with such devices from MRIs to infusion pumps to ventilators to industrial control devices, robotic arms, HMIs, PLCs, etc. Without such solutions, these devices, and consequently your entire network, are sitting ducks for any hacker.”
What many organizations fail to understand is HIPAA law mandates that all of your devices and assets are accounted for and proper security measures are installed. This way, should you experience a malware or ransomware attack, the protected health information (PHI) your company manages is safe.
WannaCry Ransomware Exploits Microsoft Flaw
The WannaCry ransomware and NotPetya wiper attacks, starting on May, 12, 2017, exploited a flaw in Windows Server Message Block (SMB). Microsoft was aware of the vulnerability in their system and released patches in March of 2017, to address the issue. However, organizations including many in healthcare, have been slow to implement these patches.
The patch known as Microsoft’s MS17-010 Patch, has the ability to prevent attacks by the WannaCry ransomware. A staggering 1.7 million devices remain vulnerable to attacks, even though the patch was released 2 years ago by Microsoft.
Hackers targeted NSA’s EternalBlue and DoublePulsar, giving them the ability to spread the malware across entire networks. WannaCry infected more than 200,000 devices across 150 countries in its first few days. 40% of healthcare delivery organizations have succumbed to one or more attacks by the WannaCry ransomware in the past 6 months. With 30% of all ransomware attacks in the United States involving WannaCry in Q3 of 2018, it is essential that organizations take the necessary steps to prevent such attacks.
According to Armis VP of research, Ben Seri,“In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling.” Additionally, 70% of devices in healthcare are still using outdated operating systems such as Windows 7, which Microsoft will stop providing security updates for by January of 2020. With the difficulties in updating many of these devices to current operating systems, the healthcare industry will become increasingly vulnerable to malware attacks.
Compliancy Group Can Help!
Our compliance solution, the Guard™, will help your organization do all that is necessary to become HIPAA compliant. Our Compliance Coaches™ will guide you through the entire process, so that you have an effective compliance program in place.