Ransomware Alert and Guidance for Health Centers

51581
Ransomware Alert and Guidance for Health Centers

Updated 10/29/2020 with Ransomware Alert Notification and Documentation from CISA

Introduction

Ransomware is a type of malware that takes control over a computer or computer system by encrypting all the data on the drive. The data is then held at ransom until a predetermined cost is paid. Due to the use of cryptocurrencies (e.g., bitcoins) for payment it is difficult to track those demanding the ransom making it tough to prosecute.

Problem Statement

A rapid increase in the computerization of health care organizations, many without the capacity to keep up to date with the extensive privacy and security measures required, has made them targets for cyber-criminals. In the last couple of years there have been numerous ransomware attacks that has held critical hospital data at ransom.

Health Centers may be perceived as more vulnerable targets by cyber-criminals due to a potentially smaller IT staff and older set of IT infrastructure (e.g., operating systems without latest security updates). To make things worse, a decrease in the black market price of health data has increased hackers needs to pursue ransom from further providers.

Recent Alerts and Examples in the News

Ransomware Activity Targeting the Healthcare and Public Health Sector - Alert (AA20-302A)

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Ransomware Protection Strategies from the Cybersecurity and Infrastructure Security Agency (CISA)

https://www.us-cert.gov/ncas/current-activity/2019/09/06/ransomware-protection-strategies

WannaCry Ransomware Alert

- https://www.us-cert.gov/ncas/alerts/TA17-132A

Security report - Nearly 90 percent of ransomware attacks target healthcare

http://www.hiewatch.com/news/security-report-nearly-90-percent-ransomware-attacks-target-healthcare

Ransomware Transmission

  • E-mails posing as legitimate business or tempting links
  • Trojans acting as update requests
  • Anti-Virus programs patches and updates
  • Windows system updates
  • False “You’ve got a virus” notifications
  • Gaining access by exploiting known network or security software vulnerabilities

Ransomware & HIPAA Implications

OCR states that whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

 

Find links and further documentation below

Documents to download

Previous Article Federal Activities and Approaches to Advance Social Determinants of Health Data Use and Interoperability in Support of Community Health Centers
Next Article Implementing Opt-Out HIV Screening in Your Health Center
Intended Audiencehealth center IT staff, CIO, Health Center Staff, Health Center Leadership, threat intelligence