Ransomware Attacks Put Hospitals at Risk in a Variety of Ways
October 10th, 2016
WASHINGTON, DC -- A recent federal interagency report indicates that, on average, 4,000 daily ransomware attacks have occurred since early 2016 — a 300% increase over the 1,000 daily ransomware attacks reported in 2015.
As if the possibility of a ransomware attack isn’t disturbing enough to hospital administrators, with medical facilities being among the most popular targets, an incident also could put the institutions in violation of HIPAA.
That information is contained in a new fact sheet provided by the U.S. Department of Health and Human Services (HHS). The document defines ransomware as a technique to exploit human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data.
On the other hand, HHS provides reassurance of measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.
“This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role HIPAA has in assisting HIPAA-covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack,” according to the fact sheet introduction.
The information is structured in a question-and-answer format. For example, in answer to the question, “What is ransomware?” the following answer is provided: “Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or exfiltrates data, or ransomware in conjunction with other malware that does so.”
The HHS document also includes some practical advice on topics such as detecting a ransomware attack while in progress. It suggests the following can be indicators:
- a user’s realization that a link that was clicked on, a file attachment opened, or a website visited may have been malicious in nature,
- an increase in activity in the CPU and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files),
- an inability to access certain files as the ransomware encrypts, deletes, and renames and/or relocates data, and
- detection of suspicious network communications between the ransomware and the attackers’ command and control server(s). This would most likely be detected by IT personnel via an intrusion detection or similar solution.
The immediate response by a hospital should be to activate its security incident response plan and isolate the infected computer systems in order to halt propagation of the attack, according to the fact sheet. It also recommends that the local FBI or Secret Service field office be notified.
In terms of recovering from a ransomware attack, the federal agency states that, because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack.
HHS recommends that test restorations should be periodically conducted to verify the integrity of backed-up data and provide confidence in an organization’s data restoration capabilities.
“Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks,” the document continues.
In fact, it says, implementing a data backup plan is a Security Rule requirement for HIPAA-covered entities and business associates as part of maintaining an overall contingency plan.
Based on HIPAA requirements, the fact sheet says hospitals and other facilities also should have processes to conduct post-incident activities, which could include a deeper analysis of the evidence to determine if any regulatory, contractual, or other obligations exist as a result of the incident and incorporating any lessons learned into the overall security management process to improve incident response effectiveness for future security incidents.
Part of that analysis would be assessing whether there was a breach of protected health information, which could be an impermissible disclosure that violates the Privacy Rule.