June 16, 2016

HIPAA: The Ransomware Debate and What To Do About This Threat

With a reported 112 million healthcare records breached in 250 separate security incidents last year, you wouldn’t think it could get much worse.

But along with the fact that protected health information (PHI) is very profitable, cyber criminals are shifting their targets away from financial and retail industries (who have improved their defenses substantially) and aiming even more at healthcare.

Ransomware, a type of malicious software, is one of the biggest issues.  

The newly released 6th Annual Benchmark Study on Privacy & Security of Healthcare Data identifies ransomware as one of the top cyber threats facing healthcare organizations today.

A report released by the Institute for Critical Infrastructure Technology (ICIT) warned that 2016 would be the year of ransomware.  

Ransomware infects a PC and restricts access to systems and information – unless a ransom is paid. Most ransomware is spread through links in spear phishing emails or through drive-by downloads.

In a hospital or healthcare facility, ransomware can affect operations and patient care and safety.   

One interesting question being debated is whether or not ransomware constitutes a data breach under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA was designed to protect patients against the loss, theft or breach of their protected health information (PHI). A Breach Notification Rule requires HIPAA covered entities to provide notification following a breach of unsecured PHI.

Some industry experts say a ransomware attack doesn’t violate HIPAA’s disclosure restrictions because PHI is never actually accessed.

Other industry experts say ransomware attacks do qualify as a data breach because the entire system that contains PHI is under the control of a criminal.

Regardless, the healthcare industry has to improve its defenses against ransomware. Here are some ways to protect your business:

Layered defence
Secure vulnerable endpoints (hard drives, email, web, and others) as part of a layered defense strategy, according to ICIT. Use different hardware and software solutions including the latest malware and anti-virus safeguards. Put strong detection technologies in place too.  

On-going education
Employees must understand ransomware threats. “All it takes is one uneducated system user” to let a malicious code into the system, said one industry observer.  

Back up
Ransomware is successful when organizations have no choice but to pay in order to get their data back. As part of a comprehensive data management process, back up data regularly and store information in a secure and digitally isolated location.

Contingency plans
The entire facility should be trained in prevention and detection. Staff should know how to use paper records if computers are down. Also, have a breach response plan in place, and test the plan.

Share information
The Cybersecurity Information Sharing Act 2015 is creating a framework for exchanging information regarding cybersecurity threats within numerous industries including healthcare.

Information destruction
Keep only the confidential information that is necessary. Do not stockpile confidential data or hard drives. Securely dispose of all confidential information that is no longer needed.  Partner with a document destruction leader that helps protect the workplace with secure hard drive destruction and other services.  

Keeping the workplace tidy and de-cluttered is another document security strategy that all hospitals and medical facilities can benefit from.