Ransomware Alert and Guidance for Health Centers
Updated 10/29/2020 with Ransomware Alert Notification and Documentation from CISA
Introduction
Ransomware is a type of malware that takes control over a computer or computer system by encrypting all the data on the drive. The data is then held at ransom until a predetermined cost is paid. Due to the use of cryptocurrencies (e.g., bitcoins) for payment it is difficult to track those demanding the ransom making it tough to prosecute.
Problem Statement
A rapid increase in the computerization of health care organizations, many without the capacity to keep up to date with the extensive privacy and security measures required, has made them targets for cyber-criminals. In the last couple of years there have been numerous ransomware attacks that has held critical hospital data at ransom.
Health Centers may be perceived as more vulnerable targets by cyber-criminals due to a potentially smaller IT staff and older set of IT infrastructure (e.g., operating systems without latest security updates). To make things worse, a decrease in the black market price of health data has increased hackers needs to pursue ransom from further providers.
Recent Alerts and Examples in the News
Ransomware Activity Targeting the Healthcare and Public Health Sector - Alert (AA20-302A)
- https://us-cert.cisa.gov/ncas/alerts/aa20-302a
Ransomware Protection Strategies from the Cybersecurity and Infrastructure Security Agency (CISA)
- https://www.us-cert.gov/ncas/current-activity/2019/09/06/ransomware-protection-strategies
WannaCry Ransomware Alert
- https://www.us-cert.gov/ncas/alerts/TA17-132A
Security report - Nearly 90 percent of ransomware attacks target healthcare
–http://www.hiewatch.com/news/security-report-nearly-90-percent-ransomware-attacks-target-healthcare
Ransomware Transmission
- E-mails posing as legitimate business or tempting links
- Trojans acting as update requests
- Anti-Virus programs patches and updates
- Windows system updates
- False “You’ve got a virus” notifications
- Gaining access by exploiting known network or security software vulnerabilities
Ransomware & HIPAA Implications
OCR states that whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
Find links and further documentation below
50680
| Intended Audience | health center IT staff, CIO, Health Center Staff, Health Center Leadership, threat intelligence |
Resource Links
-
Ransomware Protection Strategies from CISAThe Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the Nation. Helping organizations protect themselves from ransomware is a chief priority for CISA.
-
HIS Talk WannaCry Threat Intelligence BriefingDuring this webinar, John Gomez (a healthcare focused cybersecurity researcher) will provide an in-depth analysis of the current state of wannacry as well as a technical review of how it operates and possible go-forward cybersecurity impacts. John will also present technical and regulatory counter-measures you should consider, specific to healthcare organizations.
-
Archived webinar from HIMSS on Preventing and Dealing with Ransomware Attacks: How to Keep Your Data SafeThe recent global ransomware attacks have revealed weaknesses in many organizations’ security plans. The global nature of the attacks demonstrate how easy it is for criminals to target health records for either profit or malicious reasons. And it confirms that the danger of cyber-attacks will not end any time soon. This webinar, presented by noted ethical hacker Kevin Johnson, will provide insight into how hackers identify vulnerabilities and provide specific advice to help you prepare a line of
-
HIMSS Learning Center recording of the presentation called Protecting Medical IoT Devices: Lessons Learned from WannaCry and NotPetyaAs WannaCry and NotPetya have demonstrated, connected medical devices in operation today were not designed with security in mind. In fact, many were not initially designed to be networked and certainly not exposed to the Internet. EMR and other initiatives have accelerated the need to network medical devices at the risk of security exposure. With traditional IT security solutions unable to secure connected medical devices, there are no easy answers to address the risk to the millions of devices
-
A link to the Healthcare IT News article titled "SamSam ransomware hackers still targeting healthcare, HHS warns"The destructive ransomware strain SamSam is still pummeling the healthcare sector, and hackers using it have hit at least eight separate targets in the government and healthcare sectors this year, according to an alert from the U.S. Department of Health and Human Services.
-
SamSam Ransomware Guidance from the United States Computer Emergency TeamThe Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.