OCR shares guide to preventing, mitigating and responding to ransomware

As we've seen in recent months, ransomware remains a big threat to healthcare organizations of all sizes, even causing some to shut down operations entirely. In their Fall 2019 newsletter, the Office for Civil Rights (OCR) released guidance for healthcare entities on how they can prevent, mitigate, and respond to ransomware attacks.

A quick refresher on ransomware

Ransomware is when an intruder gains access to your computer, encrypts important files with a private key, and demands a ransom to decrypt the information. Email is the number one attack vector for ransomware ( otherwise known as phishing), but ransomware comes in many shapes and sizes. People continually fall victim to ransomware attacks because of human error like our susceptibility and  The Overconfidence Dilemma.

There are other ways for ransomware to affect software, such as network servers, but email remains as the top three causes of this kind of data breach. READ MORE:  This is Why Ransomware Attacks Are Still So Effective

What the OCR advises

In their quarterly cybersecurity newsletter, the OCR outlines one of the biggest reasons ransomware has become more effective in recent years is through more targeted attacks. "Prior to initiating an attack, a malicious actor usually gains unauthorized access to a victim’s information system for the purpose of performing reconnaissance to identify critical services, find sensitive data, and locate backups," OCR reports.

The result is a targeted attack that is unleashed for maximum impact, which can have massive consequences for organizations who are unprepared for the attack, including having to pay a ransom to get back critical data. OCR reminds healthcare organizations that proper implementation of several HIPAA Security Rule provisions can help covered entities and business associates prevent, mitigate, and recover from ransomware attacks, including:

• Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A)) and Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B)). Covered entities and business associates are required to conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of their ePHI, and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.  Identifying and addressing technical vulnerabilities within information systems and information technology infrastructure is crucial to preventing ransomware attacks.  Successful ransomware deployment often depends on exploitation of technical vulnerabilities such as outdated software, unsecured ports, and poor access management/provisioning.  Implementing effective security tools including anti-malware software and intrusion detection/prevention solutions can also help prevent, detect, and contain attacks.  Identifying and reducing these potential risks and vulnerabilities is key to making an organization a less inviting target.
• Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D)). If ransomware is able to overcome an organization’s first level of defenses and enter the organization’s network and information systems, effective system monitoring and review will be critical to detecting and containing the attack.  Identifying anomalous activity, especially such activity executed with elevated privileges, can be crucial to identifying an attack in progress.  Covered entities and business associates are required to regularly review records of information system activity.  Such records can include audit logs, access reports, and security incident tracking reports.  Some organizations may benefit from tools to assist with log collection and review processes.  Security Information and Event Management solutions can assist an organization with its activity review process by aggregating and helping to analyze logs and reports from many different information systems.
• Security Awareness and Training (45 C.F.R. §164.308(a)(5)). Information system users remain one of the weakest links in an organization’s security posture.  Social engineering, including phishing attacks, is one of the most successful techniques used by threat actors to compromise system security.  A training program should make users aware of the potential threats they face and inform them on how to properly respond to them.  This is especially true for phishing emails that solicit login credentials.  Additionally, user training on how to report potential security incidents can greatly assist in an organization’s response process by expediting escalation and notification to proper individuals.
• Security Incident Procedures (45 C.F.R. §164.308(a)(6)). An organization’s incident response procedures can greatly limit the damage caused by a ransomware attack.  Organizations may consider addressing ransomware attacks specifically within its response policies and procedures as mitigation actions may vary between different types of incidents.  Quick isolation and removal of infected devices from the network and deployment of anti-malware tools can help to stop the spread of ransomware and to reduce the harmful effects of such ransomware.  Response procedures should be written with sufficient details and be disseminated to proper workforce members so that they can be implemented and executed effectively.  Further, organizations may consider testing their security incident procedures from time to time to ensure they remain effective.  Familiarity with the execution of security incident procedures should reduce an organization’s reaction time and increase its effectiveness when responding to an actual security incident or breach.  Identifying and responding to suspected security incidents is key to mitigating potential harm following an intrusion.
• Contingency Plan (45 C.F.R. §164.308(a)(7)). An effective and robust contingency plan is essential to recover from a ransomware attack.  Proper implementation of this provision will allow an organization to continue to operate critical services during an emergency and recover ePHI.  Because patient health and safety may be impacted, tolerance of system downtime is low and ePHI availability requirements are high.  A covered entity or business associate must backup ePHI and ensure that it is accessible and recoverable in the event of a ransomware attack.  Organizations should keep in mind that threat actors have recently been actively targeting backup systems and backup data to prevent recovery.  Maintaining recoverable, secure, and up-to-date backups is one of the most important safeguards against ransomware attacks.

As OCR states in their newsletter, this is not an exhaustive list of all strategies organizations can or should utilize, but it is a good starting point when reviewing their cybersecurity strategy. You can find the full newsletter here.