Healthcare for Ransom: A Look into the HIPAA Guidelines for Ransomware Incidents

Widespread email phishing campaigns carrying the pervasive ransomware Locky have been hammering businesses across the U.S. and Japan since the beginning of August. According to media reports, the targets are mainly from the healthcare sector, emphasizing the preference of cybercriminals for this particular industry. It's not difficult to see why. Healthcare enterprises carry a wealth of valuable data such as social security numbers and health insurance credentials that cannot easily be replaced, besides patient records that hospitals need to run their daily operations.

Locky is a prevalent threat—according to a Trend Micro report it accounted for 50% of the ransomware detected in Japan during the first half of 2016—but it isn't the only ransomware family used to target healthcare facilities. The ransomware threat as a whole is a current and continuing problem for the healthcare industry—in the United States alone there was a 300% increase in attacks recorded since 2015. The scale of the security incidents seen in 2016 is consistent with what Trend Micro anticipated, based on the position of the healthcare industry in the threat landscape of 2015.

Enterprises dealing with the threat of ransomware, as well as affected entities managing the aftermath, look to the comprehensive guidance provided by the Health Insurance Portability and Accountability Act (HIPAA) for strategies concerning security incident prevention, management, and response. The U.S. Department of Health and Human Services (HHS) has released a detailed factsheet that describes how entities covered by the HIPAA should deal with ransomware cases.

The document clearly defines ransomware as a “security incident”, and as such, HIPAA-covered enterprises have to initiate reasonable and appropriate response, reporting, and recovery procedures.    

To find out the appropriate response, any incident should be immediately assessed. Enterprises must first determine the scope of the incident, the origin, if it is still ongoing, and how the incident occurred. A vital part of the analysis is assessing whether or not there was a breach of Protected Health Information (PHI), since that could be a violation of the HIPPA Privacy Rule that triggers wide-ranging notification procedures.

Comply with HIPAA standards to prevent incidents

An ounce of prevention is worth a pound of cure. Compliance with the HIPAA security guidelines can help enterprises avoid the monumental difficulties of dealing with ransomware. One particular obligation emphasized by HIPAA is adequate security and awareness preparation for the workforce. Everyone in the enterprise, from the CEO down, can be exposed to ransomware and is a potential victim. Most cases actually start with a user being conned by threats attached to blandly titled email, so educating users about these schemes is a worthwhile investment.

Aside from security training, here are some practices outlined by HIPAA:    

  • Conduct a thorough risk analysis to define potential vulnerabilities and threats to your network and PHI, then take appropriate steps to mitigate those risks
  • Install procedures to guard against and detect malicious software
  • Limit access of people and programs to PHI

HIPAA outlines the minimum of what enterprises are required to do to secure their data, but implementing additional and more thorough security measures is very much encouraged.

Evaluate the probability of PHI compromise to determine breach status

Ransomware doesn’t typically equate to a breach since the aim of ransomware is to encrypt data, and not expose it. However, when electronic PHI (ePHI) is encrypted by ransomware, it is considered accessed, or “acquired”, by an unauthorized individual, and so becomes a “disclosure” which is not permitted under the HIPAA Privacy Rule. Because of that, the rules for breaches can apply to ransomware incidents.  

If an entity is infected with ransomware, the incident is presumed to be a data breach unless it can be demonstrated that a “low probability that the PHI has been compromised”. If “low probability” is not established, then the entity must comply with the Breach Notification Rules and follow the provisions applicable to the size of their breach.     

To evaluate the extent of the breach and determine “low probability” of PHI compromise, four factors have to be assessed according to HIPAA:

  • the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  • the unauthorized person who accessed or used the PHI, or to whom the disclosure was made
  • whether the PHI was actually acquired or viewed
  • the extent to which the risk to the PHI has been mitigated

The process of determining low probability has to be thorough. Covered entities and their business associates must also sufficiently document their analysis to meet the burden of proof regarding the breach assessment.

If it’s determined that a breach occurred, then the entity has to comply with the applicable HIPAA breach notification provisions: informing affected individuals without unreasonable delay, informing the Secretary of HHS, and—if over 500 individuals were affected—notifying the media.

Risk assessment and notification are only required for unsecured PHI

HIPAA does not require risk assessment or breach notification for secure PHI, which is ePHI that is encrypted according to a set of standards that can ensure that the data is indecipherable to unauthorized parties. Encryption is a vital part of any enterprise’s data protection strategy.

However, in the event of a security incident, entities have to be sure that the encryption is guaranteed. Was all of the affected PHI really been rendered unreadable, unusable, and indecipherable to unauthorized persons? 

For example, full disk encryption might render data on a laptop indecipherable to unauthorized parties when it is powered down, but what if the laptop is on? If the operating system is loaded, the files on the system can be accessed by unauthorized users. If a ransomware attack occurs at this moment, the files are then considered “unsecured PHI” and a breach is presumed under the HIPAA Breach Notification Rule.  Entities have to be certain about the status of their PHI before moving forward with any security plans or notification procedures.   

HIPAA requires a robust plan for ransomware response and recovery

One of the first steps entities should take after a ransomware attack is determining the type of malware that has hit them. Finding the particular strain will help users figure out the behavior of the threat—if it is still propagating in the system, what data it is targeting, if it will attempt to exfiltrate data, if it will drop more malicious software, or other actions.   

A solid contingency strategy, including a comprehensive data backup plan is also a requirement from HIPAA’s Security Rules. Once activated, business operations should continue as the entity manages the ransomware attack.

Further guidance of HIPPAA also prompts entities to take these actions:  

  • conduct analysis of ransomware
  • contain the impact and propagation of the ransomware
  • completely eliminate ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation
  • recover lost data and resume business
  • conduct post-incident analysis and determine if the entity has any regulatory, contractual, or other obligations as a result of the incident
  • incorporate  new discoveries into incident management processes to improve security

Entities should also think about offering affected clients some assistance or service following a ransomware attack, though it is not part of the standards set by the HIPAA. When Colorado-based healthcare provider Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR) suffered a breach that exposed personal data of 7000 patients, they were quick to respond. The company offered affected clients year-long identity protection services, including credit monitoring, insurance, data theft protection, and customer support via a dedicated service team.

HIPAA provides enterprises with thorough guidance for handling ransomware, from prevention tactics to response and recovery plans. Complying with all the standards set by the HSS will help smoothly manage security incidents, but going above and beyond the requirements is an even better approach. Enterprises should use a comprehensive combination of solutions that involves breach detection, data loss prevention, compliance auditing and demonstration, securing legacy systems, cloud security, as well as protecting devices, endpoints, and data.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.