Ransomware, in which an attacker gains access to a secured electronic system, encrypts data, and demands payment in order to unencrypt the data, looms large as a cybersecurity threat for public and private sector organizations, especially health care providers. Government agencies and lawmakers, alike, have begun to focus on various aspects of ransomware and how organizations can address the growing cybersecurity threat. In a “Dear Colleague” letter providing additional ransomware reference material from various federal administrative and law enforcement agencies, HHS noted three key points for information officers involved in cybersecurity to consider on the subject: (1) unique disruptions; (2) prevention measures; (3) and law enforcement contacts.
Prevention and payment
In a technical guidance document titled “How to Protect Your Networks from Ransomware,” included in the “Dear Colleague” letter, prevention is considered the most effective defense. The guidance stressed that organizations needed to implement an awareness and training program, along with strong spam filters and anti-virus and anti-malware programs to scan emails. In addition, organizations should back up and ensure the security of data.
In instances where the preventive measures fail and a ransomware attack is successful, the guidance noted that organizations should isolate the infected systems as quickly as possible and immediately notify law enforcement. HHS, along with the Departments of Homeland Security and Justice, warned that paying a ransom may actually encourage the criminal enterprise. The Departments stressed that payment did not guarantee an organization would regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Some organizations, after paying, were reportedly targeted again by other cyberattacks.
Not a conventional breach
Representatives Ted W. Lieu (D-Calif) and Will Hurd (R-Texas) asked the HHS Office for Civil Rights (OCR) to focus on guidance development for health care providers to use when responding to ransomware attacks under the disclosure and reporting requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH) (P.L. 111-5) and Health Insurance Portability and Accountability Act (HIPAA) (104-191). The lawmakers also sought guidance on understanding and addressing the differences between ransomware and conventional hacking, noting that although ransomware qualified as a conventional breach, it should not be treated the same or subject to a similar risk assessment.
Unlike other cybersecurity threats, ransomware is particularly disruptive of day-to-day business functions. Ransomware generally executes itself as an encrypted lock around an entity’s servers, storage devices, applications, or files. In order to encrypt files, the ransomware disables access to particular functions, such as access to personal health records. The system access, from a technical standpoint, is a conventional data breach under 45 C.F.R. Sec. 164.402.
In a conventional breach of a health care provider, personal health information is viewed or stolen, infringing on the patient’s privacy rights. Ransomware, instead, denies access to health records of system functions and increases patient safety and service risks. The lawmakers highlighted a recent MedStar Health system ransomware breach which forced the health care provider to shut its computer network down and turn away patients.
The lawmakers suggested that patient notification of ransomware breaches only made sense when the attack resulted in either a denial of access to an electronic medical record or loss of functionality to provide medical services. However, rapid and mandatory notification of government agencies should be made, including information sharing, as soon as ransomware attacks are known. The lawmakers concluded by urging the OCR to include clear guidance related to data modification from ransomware attacks.