Guest post by Rachel V. Rose, JD, MBA, principal, Rachel V. Rose – Attorney at Law, PLLC.
Why should physicians and providers care about the possibility of a ransomware attack? There are several reasons. First, it is disruptive both to patient care and to the revenue cycle. Second, it is costly in terms of time, IT capital, and if the attacker is paid, money. Finally, the time it takes to correct the attack, implement paper charting and communication, and subsequently revise the electronic medical record system can be arduous.
To understand the necessary precautionary measures and what to do in the event of an attack, it is first necessary to identify what ransomware is and how it works. A common definition of ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.” A ransomware attack may target a business or an individual. The two categories of attacks are Denial of Service (“DoS”) and Distributed Denial of Service (“DDoS”). A DoS attack affects a single computer and a single internet connection, while a DDoS attack involves multiple computers and connections. According to PC World, three types of ransomware programs top the list – CTB-Locker, Locky and TeslaCrypt.
A common question that arises is whether or not to pay the ransom in order to have the data returned. The FBI advises not paying the ransom, advice that has been echoed by statistics.
“Kaspersky’s research revealed that small and medium-size businesses were hit the hardest, 42 percent of them falling victim to a ransomware attack over the past 12 months. Of those, one in three paid the ransom, but one in five never got their files back, despite paying. Overall, 67 percent of companies affected by ransomware lost part or all of their corporate data and one in four victims spent several weeks trying to restore access”
This leads us to the best ways to defend against an attack, as well as steps that should be taken if an attack occurs.
Proactive steps include: educating employees about social engineering, phishing and spear phishing, continuously making sure that software updates are installed, creating a layered approach to security defenses, limiting access to the network, making sure that policies and procedures are comprehensive and updated, and ensuring that data is backed up daily.
According to FBI Cyber Division Assistant Director, James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.” Hence, recognizing the avenues that cybercriminals use to gain access and taking appropriate administrative, physical, and technical precautions can reduce the risk of an attack.
Because physicians and other providers, who are considered covered entities under the Health Information Portability and Accountability Act of 1996 (“HIPAA”), are subject to the Breach Notification Rule, and given the prevalence of ransomware attacks, the U.S. Department of Health and Human Services (“HHS”) provided guidance. “A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300 percent increase over the 1,000 daily ransomware attacks reported in 2015).
The appropriate safeguards are found in the security rule and should be part of every annual risk assessment. An adequate contingency plan and data back-up storage that is not connected to the network are crucial. A ransomware attack should be assessed like any other breach; under the rules, a breach is defined as: “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402; see also Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Once a breach has been discovered, the next step is to determine the probability of the data being compromised. The four factors identified in 45 C.F.R. 164.402(2)) must be utilized to determine the probability: 1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 2. the unauthorized person who used the PHI or to whom the disclosure was made; 3. whether the PHI was actually acquired or viewed; and 4. the extent to which the risk to the PHI has been mitigated. The preventative steps and those used to determine the probability that the protected health information’s confidentiality, integrity, and availability have been disrupted are the same as a non-ransomware scenario.
If an attack does occur, take the following steps: 1. disconnected the affected computer from the network; 2. have the appropriate IT personnel perform a scan and remove/install the appropriate software; 3. access the secure back-ups, which were not connected to the computers or the networks and have been continuously vetted to make sure that the confidentiality and integrity of the data has been preserved; and 4. follow the HIPAA breach notification protocols and the HHS guidance for a ransomware attack. Lastly, just like heart disease, the best way to protect against a ransomware attack is prevention.