Ransomware has proven to be a dangerously effective extortion tool. American businesses experienced an average 4,000 ransomware attacks daily in 2016, a 300% increase over the previous year (PDF). A ransomware attack by itself is bad enough, but for businesses in the healthcare sector ransomware poses some unique challenges.
What is Ransomware?
Although it’s existed in some form since the mid-1990s, hackers’ use of ransomware has recently spiked thanks to readily available distribution and encryption tools. Ransomware infects computers just like other malware: disguised as a legitimate email attachment, embedded in websites or online ads, or even passing directly through vulnerabilities in your business’s network.
The ‘ransom’ part comes after infection, when it locks access to your computer’s files using encryption. To get your files unlocked you must pay the hackers who sent the ransomware, usually with BitCoins or other online currency. Then you sit, wait, and hope they actually follow through.
When is a Ransomware Infection a HIPAA Breach?
As healthcare businesses know, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict regulations on the handling of electronic Protected Health Information (PHI). Given HIPAA’s overall complexity, many businesses assume that determining whether or how to take action regarding ransomware is confusing. It’s not.
A ransomware infection on a computer storing PHI always qualifies as a HIPAA Security Incident. And the ransomware encryption of PHI itself is always a breach.
A breach under HIPAA is defined as, “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” So no matter what, if PHI on your business’s computers is encrypted by ransomware, you must consider it a breach.
What Your Business Can Do
Fortunately, by adhering to HIPAA’s Security Rule your business greatly reduces the risk of a ransomware compromise. The Security Rule is detailed and comprehensive, but there are a few broad, key takeaways:
- Train your staff to avoid computing behaviors that increase your business’s risk of a compromise, ransomware or otherwise. Such as opening unexpected email attachments or downloading unfamiliar software onto business PCs.
- Deploy endpoint security software to every desktop and laptop that accesses your business network.
- Deploy a compliant backup system so you can recover data lost in any security incident.
- Restrict access to PHI on your business’s network to the minimum necessary.
- Implement a management process for all IT security incidents so they are handled in a thorough, organized manner.
If a ransomware compromise does occur, it is equally important to follow thorough best practices.
- Determine the scope of the compromise. Was just one desktop infected? A whole office network? Your file servers?
- Identify the origin of the attack. Did it come from a fake email attachment, a malicious website, or another source?
- Determine whether the ransomware is still spreading on your business’s network, or to colleagues and clients. Notify all parties immediately so they may also take action.
- Have Information Security personnel eliminate each occurrence of the ransomware on your business’s network.
- Restore data lost in the compromise from backup sources.
- When necessary, complete HIPAA’s breach notification process.
Get Expert Assistance
Handling any HIPAA compromise can be a challenging and expensive process. But you can rest easy when your business has prevention and remediation processes in place. Contact Intrinium’s security experts today for a HIPAA Risk Assessment or for rapid Incident Response.