X
Search All HITEQ Content
Ransomware Guidance Presentation for Health Centers

Ransomware Guidance Presentation for Health Centers

Updated with Ransomware Strategies from CISA

Introduction

Ransomware is a type of malware that takes control over a computer or computer system by encrypting all the data on the drive. The data is then held at ransom until a predetermined cost is paid. Due to the use of cryptocurrencies (e.g., bitcoins) for payment it is difficult to track those demanding the ransom making it tough to prosecute.

Problem Statement

A rapid increase in the computerization of health care organizations, many without the capacity to keep up to date with the extensive privacy and security measures required, has made them targets for cyber-criminals. In the last couple of years there have been numerous ransomware attacks that has held critical hospital data at ransom.

Health Centers may be perceived as more vulnerable targets by cyber-criminals due to a potentially smaller IT staff and older set of IT infrastructure (e.g., operating systems without latest security updates). To make things worse, a decrease in the black market price of health data has increased hackers needs to pursue ransom from further providers.

Recent Alerts and Examples in the News

Ransomware Protection Strategies from the Cybersecurity and Infrastructure Security Agency (CISA)

https://www.us-cert.gov/ncas/current-activity/2019/09/06/ransomware-protection-strategies

WannaCry Ransomware Alert

- https://www.us-cert.gov/ncas/alerts/TA17-132A

Massive Locky ransomware attacks hit U.S. hospitals

http://www.healthcareitnews.com/news/massive-locky-ransomware-attacks-hit-us-hospitals

Security report - Nearly 90 percent of ransomware attacks target healthcare

http://www.hiewatch.com/news/security-report-nearly-90-percent-ransomware-attacks-target-healthcare

Ransomware Transmission

  • E-mails posing as legitimate business or tempting links
  • Trojans acting as update requests
  • Anti-Virus programs patches and updates
  • Windows system updates
  • False “You’ve got a virus” notifications
  • Gaining access by exploiting known network or security softwarae vulnerabilities

Ransomware & HIPAA Implications

OCR states that whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

Read more on OCR's HIPAA guidance for ransomware by downloading the document provided below.

Previous Article Office Hours with the Prescription Drug Monitoring Program Training and Technical Assistance Center
Next Article eClinicalWorks and Ryan White HIV/AIDS Program Data Management
Print
15294
Intended Audiencehealth center IT staff, CIO, Health Center Staff, Health Center Leadership, threat intelligence

Documents to download

Please login or register to post comments.

Theme picker