Kusserow on Compliance: Defending against ransomware threat

Cyber attacks have risen to dramatic levels over the last two year and are likely averaging one attack a day, with the most disturbing trend involving ransomware. A survey by the American Health Lawyers Association indicated that virtually all healthcare lawyers believe they will be involved with cyber security matters with their client and the threat will continue to increase over the coming years. Data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. Ransomware typically involve a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data.  The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. The healthcare industry, particularly hospitals, have proven to be a soft target, as they need to have immediate access to their patient information and many have paid the ransom to regain control over it. The healthcare sector is considered a “soft target” for Ransomware attacks, particularly hospitals that are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. As such, compliance officers need to consider this a compliance high-risk area where ongoing monitoring and auditing applies.  Simply assuming that someone in IT is addressing this problem area can be a big mistake. At the same time, the compliance office is not responsible for the program, but is responsible to ensure that those that have that responsibility are doing their job, including IT and human resource management (HRM).

According to new studies reported, healthcare now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware spiked 266% over the previous year.  The Ponemon Institute further found breaches could be costing the healthcare industry $6.2 billion annually. All these studies indicate that the biggest vulnerability to cyber attacks is employees that let-down their guard when opening or responding to emails from unknown sources. Often “scammers” create the appearance of legitimate sites, including using similar names, emblems of companies and even government agencies, etc. (including the OIG and IRS). Once someone opens the door, all kinds of bad things can happen.

Practical Tips

  1. Implement policies and procedures on taking precautions against malware and train all covered persons on them.
  2. Ensure ongoing (repeated) training of employees to keep them aware and being on guard against allowing software breaches by clicking on an email link or attachment, or responding to “pfishing” inquiries.
  3. Don’t entirely rely upon employees to always do the right thing and provide assistance by configuring email servers to block zip or other files that are likely to be malicious.
  4. Restrict permissions to areas of the network by limiting the number of people accessing files on a single server, so that if a server gets infected, it won’t spread to everyone.
  5. Limit employee access to systems on a need to know standard.
  6. Security efforts should focus on those files that are most critical, patient records.
  7. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate or remediate these identified risks.
  8. Maintain disaster recovery, emergency operations, and frequent data backups to permit restoring of lost data in case of an attack.
  9. Move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network; disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.