In the wake of several high profile healthcare ransomware incidents, the Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance on the expectations for covered entities.
Ransomware is a sophisticated piece of malware designed to block access to user files. In some cases, the malware encrypts data and demands a ransom, while in others data may be destroyed or transferred to another location (exfiltrated). The earliest record of ransomware dates back to 1987 when floppy disks were used to infect systems and demand a $189 payment to an offshore post office box. The introduction of electronic payment and evolution of encryption technology have enabled the proliferation of this epidemic. New strains are discovered at an alarming rate making them more difficult to defend against.
Ransomware finds its way onto systems by users visiting untrusted sites or launching attachments received in email. Years ago, these emails were more easily spotted due to grammatical errors and oddly formatted graphics. Today’s polished cyber criminals make it very difficult to distinguish their emails from those from legitimate sources. Equally concerning is the rate ransomware spreads once able to infect a system. In most cases the malware will begin encrypting files within a few minutes of infection. Once the system is compromised, the only options are restoring data from backups or paying the ransom.
OCR’s guidance begins with making sure covered entities are doing all they can to prevent the introduction of malware including ransomware. The cornerstone of a security management process is conducting a security risk analysis to identify threats and vulnerabilities to ePHI followed by implementing a system of security measures to mitigate or remediate identified risks. Malware and ransomware are risks that should be identified and mitigated through procedures that can include the following:
- Updated antimalware software
- Regular training for users to protect against, detect and report malicious software
- Implementing access controls to limit ePHI access to only those requiring access
- OCR makes it clear that covered entities and business associates are required to use the process of risk analysis and risk management to not only satisfy the security rule, but also in the implementation of security measures to reduce identified risks to a reasonable and appropriate level
Recently, a medical center’s health data was held hostage by a ransomware attack. Presbyterian Medical Center, based in Los Angeles, suffered a week long outage forcing staff to communicate through paper and faxes. This illustrates how ransomware can force an enterprise to activate their contingency and business continuity plans in order to maintain business operations while continuing to respond to and recover from the attack. It is imperative entities have confidence in the maintenance and activation of these plans.
The presence of ransomware in a system is a security incident under the HIPAA Security Rule. Covered Entities and Business Associates are required to develop and implement security incident procedures and response/reporting processes to respond to these attacks including the following:
- Determine the scope of the incident
- Determine the origination of the incident
- Determine whether the incident is finished, ongoing or has caused additional incidents
- Contain the impact of the incident
- Eradicate the instances of ransomware and remediate or mitigate the source of the attack
- Recovery from the incident including restoration of data and a return to “business as usual” state
- Post incident activities aimed at a deeper analysis of the incident
The final step of the process is a deep analysis of the incident to determine if the ransomware resulted in an impermissible disclosure of PHI in violation of the Privacy Rule. PHI being encrypted as a result of ransomware is considered a disclosure since unauthorized individuals have taken possession or control of the information. Unless the covered entity or business associate can demonstrate there is a low probability the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. In making the determination of “low probability”, the covered entity or business associate will need to make a thorough evaluation of all the evidence gathered and make a “good faith” determination. Identifying which strain of a particular ransomware was involved will help the entity understand the programming and algorithmic steps the malware takes such as propagating to other systems, exfiltration of data or hiding additional malware in the system. Furthermore, entities must maintain supporting documentation sufficient to meet their burden of proof regarding this determination.
Encryption of the systems housing the data will not always exempt the entity from the burden of the above determination in the case of a ransomware attack. Many full disk encryption solutions render the affected PHI unreadable, unusable and indecipherable to unauthorized users once the system is powered down. Once the system is powered up and running, these solutions transparently decrypt and encrypt the data accessed by the user. If this user clicks on and loads ransomware, the system will decrypt the PHI with the same access levels granted to the user. Because the file containing PHI was decrypted and unsecured at the time the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.
The guidance released by OCR provides valuable insight into the expectations of how covered entities and business associates should prepare for, react to and recover from ransomware incidents. Covered entities and business associates should ensure their security risk analysis considers the vulnerability of PHI to the threats of ransomware and malware. Internal policies and procedures should be reviewed to ensure tested backup procedures exist and training to users on identifying/preventing malware is in place. Finally, incident response procedures should include the audit trails necessary to produce identification of the specific ransomware and evidence to demonstrate the probability the PHI was compromised.
It is our responsibility to protect our patient data from the unauthorized disclosure. That’s why we strive to make sure our clients prepare for the increased threat cyber criminals pose in today’s digital age. Establishing and updating your risk management program is the key to preparing for these threats. At minimum, your program should include periodic risk assessments, implementation of mitigation processes and procedures, tested business continuity and backup processes, user training, incident response procedures and audit trails. Healthcare information has become a primary target for cyber criminals. The dramatic proliferation of ransomware we see each day makes one thing certain: time is not on your side!
- Christ Floros, Managing Consultant, Security and Compliance at Itentive Healthcare Solutions