What is ransomware?
Ransomware is a type of malicious software, known as malware, designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.
How to detect if your computer systems are infected?
Unless ransomware is detected and propagation halted by your malicious software protection or other security measures, you would typically be alerted to the presence of ransomware only after the ransomware has encrypted the user’s data and alerted the user to its presence to demand payment.
Indicators of an attack could include:
- • A user’s realization that a link they clicked on, a file attachment opened, or a website visited may have been malicious in nature
- • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (example: ransomware searching for, encrypting and removing data files)
- • An inability to access certain files as the ransomware encrypts, deletes and re-names and/or re-locates data
- • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT workforce member via an intrusion detection or similar solution)
If you believe you’re under a ransomware attack you should immediately activate your security incident response plan. Ensure your plan includes measures to isolate the infected computer systems in order to halt further propagation of the attack.
Additionally, it is recommended that if you’re infected with ransomware contact their local FBI or United States Secret Service field office. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cyber crime.
What to do if your computer systems are infected?
The presence of ransomware (or any malware) on a CE’s or BA’s computer system is a security incident under the HIPAA Security Rule.
A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the CE or BA must initiate their security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).
HIPAA CE’s and BA’s are required to develop and implement security incident procedures and response and reporting processes that they believe are reasonable and appropriate to respond to malware and other security incidents, including ransomware attacks.
An entity’s security incident response activities should begin with an initial analysis to:
- • Determine the scope of the incident to identify what networks, systems, or applications are affected
- • Determine the origination of the incident (who/what/where/when)
- • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment
- • Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited)
These initial steps should assist the entity in prioritizing subsequent incident response activities and serve as a foundation for conducting a deeper analysis of the incident and its impact. Subsequent security incident response activities should include steps to:
- • Contain the impact and propagation of the ransomware
- • Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation
- • Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations
Part of a deeper analysis should involve assessing whether or not there was a breach of Protected Health Information (PHI) as a result of the security incident. The presence of ransomware (or any malware) is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule and a breach, depending on the facts and circumstances of the attack. See the definition of disclosure at 45 C.F.R. 160.103 and the definition of breach at 45 C.F.R. 164.402.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?