Ghost in the Machine:Ransomware’s Impact on HIPAA

Compliance

Enter the Ghost: Ransomware Hits the System

An employee opens a suspicious email, an individual visits an infected website, or some other event

Suddenly an error message pops up:

What should you do?

What is the HIPAA impact?

Image from https://www.fireeye.com/blog/threat-research/2015/05/teslacrypt_followin.html

Response to Ransomware:

Panic?

Practical Issues:1. Should the ransom be paid?2. Are files completely locked down?3. What files can be recovered?4. What does this mean for the IT system?5. What will the public think?

HIPAA Expectations:1. Is it a breach?

a) Presumption is yes2. Must perform risk assessment

a) Outcome determine who, if anyone, needs be notified

Image from http://www.catherinecavendish.com/2014/08/a-ghost-in-machine.html

HIPAA and Ransomware Response

• Preparation should begin before ransomware strikes• Ransomware provides basis to spur/encourage evaluation• Regulations provide basis for plan of attack

Image from ww.foxgrp.com/blog/ransomware

How to Prepare

Remember what good HIPAA Security Compliance starts with:• Risk Analysis

o Sets baseline for protections to put into placeo Reveals full scope of weaknesses, vulnerabilities, likelihood of

threats and moreo Build complete plan from here

Image from http://it.toolbox.com/blogs/data-protection/hipaa-security-risk-analysis-tips-get-er-done-52848

Key Elements of HIPAA Security Rule

Certain Security Rule Policies more can help mitigate ransomware risk• Access Authorization (42 CFR § 164.308(a)(4)(ii)(B))• Protection from Malicious Software (42 CFR § 164.308(a)(5)(ii)(B)• Contingency Plan (42 CFR § 164.308(a)(7))

• Includes: (i) Data Backup Plan, (ii) Disaster Recovery Plan, and (iii) Emergency Mode Operation Plan

• Encryption (42 CFR § 164.312(e)(2)(ii)

What Does Security Rule Compliance Accomplish?

Creates foundation to build enterprise security upon

Encourages atmosphere of attention to risks

Requires planning for system disruption

Educates and trains workforce to detect and mitigate

Focus on preparationImage from http://kraasecurity.com/

When an Attack Occurs: How Respond

Go to Breach Notification Rule under HIPAA:1. OCR considers it a per se “breach”

a) Blocking access/control considered unauthorized access2. Must determine if it is actually a “breach”3. Rule creates presumption of breach4. UNLESS, low probability of compromise

a) Determination requires risk assessment

Image from http://www.druva.com/blog/how-to-undo-the-voodoo-of-a-ransomware-attack/

What Goes into Risk Assessment

Case by case assessment1. Very factual2. Need dive into details3. Forensic analysis may be necessary

Elements are:1. Nature and extent of PHI involved;2. Unauthorized person who used or to whom disclosure made;3. Whether PHI actually acquired or views; and4. Extent to which risk mitigated.

Putting It All Together

Good processes will:1. Create nimble system that cannot be taken down by a singular

event2. Prime individuals on different organizational levels to detect,

respond and mitigate3. Raise awareness and sensitivity to ransomware4. Test and re-evaluate policies/procedures

Image from http://blogs.systweak.com/2016/04/how-to-prevent-and-protect-against-ransomware-attack/

Ransomware Response Processes

Ransomware response may include processes to:1. Detect and perform initial analysis of ransomware;2. Contain impact and spread of ransomware;3. Eradicate ransomware infecting system;4. Address vulnerabilities that lead to ransomware exposure;5. Restore lost data and return to normal operations;6. Conduct post-incident analyses to determine obligations arising

from incident including regulatory, contractual or other

Impact on HIPAA Policies and Procedures

Must do risk analysis at least annually1. Provides basis to identify new risks2. Take changes into account3. Recognize evolving threats and how each can exploit vulnerabilities

differentlyUpdate policies and procedures regularly

1. Do not assume or treat as a “one and done” process2. Factor in results of ongoing risk analyses

Include in required training

Going Beyond HIPAA

HIPAA only provides ground level security requirements

Strong protection will go above and beyond HIPAA baseline

Look to NIST, best practices and more

Industry threat and information sharing

What Does it All Come Down to?

A ransomware attack will occur and PHI will be locked down and/or accessed

Healthcare organizations must bounce back and quickly

Must be prepared and ready to act

Number of records breached per month in 2016Data from Protenus

Matthew Fisher, Esq.Mirick O’Connell

@matt_r_fisher