Kusserow on Compliance: Cyber Security—21 Practical Safeguarding Tips

Cyber security is a growing compliance issue and has enormous implications for the health care sector. Cyber attacks have increased to dramatic levels over the last two year and are likely averaging one attack a day. Ransomware is one of the most disturbing trends in cyber attacks. One of the largest ransomware attacks, known as “WannaCry,” has hit countries around the world.  As with other cyber attacks, ransomware spreads through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system causing the user to lose access to their documents. The user is then prompted to pay a ransom in order to have their system restored. For health care providers, there is not only concern about business, but the risks of breaches of Protected Health Information (PHI). OCR data indicates more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. Data further indicates a major increase in breaches resulting from “hackers” in 2016. According to new studies reported, health care now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare: (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware has jumped to record levels.

Camella Boateng is a consultant expert in addressing HIPAA compliance and makes the point that all health care organizations should have a response plan ready, if and when it is needed. This will permit prompt action to mitigate the harm and damage of such a breach to systems, reputation, costs, and potential liabilities. On the other hand, not being prepared with a response plan will likely result in delays, mistakes, and aggravation of the problem. Considerations in developing the plan should include: (a) establishing roles and responsibilities for those who would respond to an incident; (b) outlining the methods to detect, report, and internally evaluate incidents; (c) laying out steps to be followed in containing and eliminating breaches; (d) determining the manner by which the response plan would be initiated operations restored; and (e) deciding what would be involved in developing, executing, and monitoring a post event remedial action plan. She advises that responsible program managers should be addressing this as part of their ongoing monitoring responsibilities. Compliance officers should verify this is being done and validate it is effective in meeting objectives. This can be done through ongoing auditing efforts that can be performed with internal resources or by engaging outside experts to do it.

21 Practical Safeguarding Tips

  1. Don’t assign responsibility for cyber security to someone at a low level in the organization
  2. Ensure software products are up to date with the most recent patches at all times
  3. Establish an aggressive patching schedule for all software
  4. Implement policies/procedures for precautions against malware
  5. Train employees to not click on email links/attachment, or respond to “phishing” inquiries
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Restrict permissions to areas of the network on a database access need
  9. Access to systems should be granted on a need to know standard
  10. Limit employee access to files on a single server, so if infected, it won’t spread to everyone
  11. Security efforts should focus on those files that are most critical, patient records
  12. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate them
  13. Maintain frequent data backups to permit restoring of lost data in case of an attack
  14. Regularly take full snapshots of your data and store them offline
  15. Monitor email carefully and do not open email attachments from unknown parties
  16. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  17. Develop a business continuity plan to prevent down time
  18. Maintain disaster recovery and emergency operation plan
  19. Regular systems tests can also help flag vulnerabilities before a hacker can get in
  20. On any report of an attack, prevent spreading by disconnecting infected systems from a network; disable Wi-Fi, and remove USB sticks or connected external hard drives
  21. Establish real-time data backups to permit work to continue

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

Kusserow on Compliance: 2016 ransomware and HIPAA data breaches

The HHS Office for Civil Rights (OCR) continues to report most reported Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule violations were due to unauthorized access or disclosure, but cyber attacks are now a close second. Cyber attacks have been very significant in the last couple of years with the number of such breaches rising to dramatic levels during 2016. The OCR reported at the end of November that scammers were using fake OCR emails to advance their schemes. No one knows for sure how many data breaches occur, but from what is known, the number may average more than one per day. The broad category of data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. The most disturbing trend involves ransomware, which typically involves a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data. The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. Health care industry stakeholders, particularly hospitals, have proven to be soft targets, as they need to have immediate access to their patient information, and many have paid the ransom to regain control over it.  There have been some major payouts by health care organizations to regain control over their data and information.

Dr. Cornelia Dorfschmid, a national expert on the subject of ransomware attacks, notes they have been growing as an internet threat for more than a decade, but have only recently become prominent in health care. The health care sector is considered a soft target, particularly hospitals, which are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

Tom Herrmann, J.D., explained that both the OCR and CMS found that many questioned whether ransomware attacks were even reportable HIPAA breaches. The reasoning was the attackers don’t have interest in accessing, copying, exfiltrating, or exporting the files they capture. They just want to hold it out of their target’s control, until they are paid.  Both CMS and the OCR disagreed and took the position that attack is also likely a data breach which must be reported like any HIPAA violation.  In July, the OCR then released guidance that made it clear that a ransomware attack is a reportable security incident and must be publicly reported in a timely manner or an covered entity or business associate will face severe penalties. Since the release of the OCR guidance, there has been a continued increase in the number of reported attacks.  Some of that increase may be a result of some health care organizations just considering the payment of ransom as the price of doing business.  They no longer can do that without risking severe penalties and the OCR has been entering into very large settlements, many of which have been over $1 million.  A recent example of this enforcement effort is the University of Massachusetts’ $650,000 HIPAA settlement after a breach of unsecured protected health information (PHI) in which the OCR found a number of security and compliance gaps, including the absence of firewalls, as well as failure to meet basic HIPAA security requirements, including conducting thorough organization-wide risk analyses, proper training of staff, and the implementation of applicable policies and procedures.

OCR guidance to prevent data breaches and ransomware attacks

The OCR guidance discusses:

  • conducting a risk analysis to identify threats and vulnerabilities to electronic PHI (ePHI);
  • establishing ways to mitigate or remediate these identified risks;
  • implementing procedures to take precautions against malware;
  • training users to detect malware and report such detections;
  • limiting access to PHI to people and software requiring such access;
  • maintaining disaster recovery, emergency operations, frequent data backups, and practice restorations.

The fact is that organizations have tools available that can strengthen security and may just need to address a basic lack of security measures.

Tips

To protect against ransomware, organizations should:

  • train employees to understand breaches often occur when opening an email link or attachment, or respond to “phishing” inquiries
  • conduct an ePHI vulnerabilities assessment and mitigate or remediate identified risks;
  • address any lack of security technology protecting data and information, including firewalls, email, or web traffic filters;
  • focus security efforts on those files that are most critical patient records;
  • consider using passphrases rather than passwords;
  • develop and implement policies and procedures on how to take precautions against malware;
  • limit access to PHI to people and software requiring such access;
  • maintain disaster recovery, emergency operations, and frequent data backups to permit restoration of lost data in case of an attack;
  • configure email servers to block zip or other files that are likely to be malicious;
  • move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system; and
  • limit those who can access files on a single server, so that if a server gets infected, it won’t spread to everyone.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Data for ransom: OCR offers ransomware guidance

Hackers throughout the world are kidnapping data and holding it for ransom, requiring the lawful data  holders to pay large sums of money–often in cryptocurrency, such as Bitcoins–if they want it back. Attacks have increased by 300 percent, from 1,000 per day in 2015 to 4,000 per day in early 2016. HHS, in conjunction with the U.S. Departments of Homeland Security and Justice, recently disseminated guidance about protecting networks from ransomware and responding to attacks (see Lawmakers, agencies raise specter of ransomware threats to cybersecurity, Health Law Daily, June 30, 2016).  An attack on protected health information (PHI) can have particular ramifications for covered entities (CEs) and business associates (BAs) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191Security and Breach Notification rules. As a result, the HHS Office for Civil Rights has issued its own fact sheet on the intersection of ransomware and HIPAA and ways CEs and providers can protect themselves and mitigate damages.

Security

In ransomware attacks, hackers infect systems with malicious software that encrypts data and makes it inaccessible to authorized users; they then insist on ransom payment in exchange for a key that will decrypt the data.  In some instances, however, ransomware may destroy or exfiltrate data, transferring it elsewhere.  The OCR notes that basic Security Rule compliance will help CEs and BAs prevent ransomware attacks. Organizations should already be performing risk analyses to identify threats and vulnerabilities and implementing procedures and other measures to prevent attacks, which include training users about malicious software and limiting access to only those people requiring access to electronic PHI (ePHI).

Ransomware attacks often go undetected until a hacker contacts an entity, demanding payment.  However, workforce members should be trained to look for early signs of an attack, including knowledge that they have clicked on link, opened an attachment, or visited a website that is potentially malicious; an increase in central processing unit (CPU) and disk activity for no apparent reason; an inability to access certain files; and suspicious network communications.

Frequent data backups can prevent day-to-day operations from coming to a halt in the event of an attack.  The OCR recommends that organizations maintain backups offline in order to make them inaccessible from their networks.  The agency highlighted the importance of performing periodic test restorations to ensure that an entity would be able to restore data that has been backed up should an attack occur. Pursuant to the HIPAA Security Rule, entities should have security incident response procedures in place in order to address various types of security incidents; in the case of ransomware, the procedures should allow them to quickly detect and analyze the ransomware, contain the impact, eradicate the ransomware, and restore lost data. The presence of ransomware is a security incident  pursuant to the Security Rule and entities must initiate security incident and response and reporting procedures (see 45 C.F.R. secs. 164.304, 164.308(a)(6)).

Breach notification

Covered entities and BAs must determine on a case-by-case basis whether the presence of ransomware constitutes a reportable breach under the Breach Notification Rule (see 45 C.F.R. 164.402) or whether there is a low probability that the PHI has been compromised (see 45 C.F.R. 164.402(2)). In the event that ePHI was encrypted prior to the attack to the extent that it is not considered “unsecured,” there is no requirement to conduct an assessment as to the probability of compromise or to notify individuals and entities of a breach. However, organizations must be sure that the encryption is truly effective. For example, a full disk encryption solution may make data on a hard drive unreadable to unauthorized parties if the system is powered down.  However, that same data may be accessible in the event that the hard drive is in use by an authorized user who performs an action infecting the computer with ransomware.

Organizations must be prepared to fend off and respond to ransomware attacks.  The OCR wants to be sure these entities are ready when faced with a choice between their money and their PHI.

Lawmakers, agencies raise specter of ransomware threats to cybersecurity

Ransomware, in which an attacker gains access to a secured electronic system, encrypts data, and demands payment in order to unencrypt the data, looms large as a cybersecurity threat for public and private sector organizations, especially health care providers. Government agencies and lawmakers, alike, have begun to focus on various aspects of ransomware and how organizations can address the growing cybersecurity threat. In a “Dear Colleague” letter providing additional ransomware reference material from various federal administrative and law enforcement agencies, HHS noted three key points for information officers involved in cybersecurity to consider on the subject: (1) unique disruptions; (2) prevention measures; (3) and law enforcement contacts.

Prevention and payment

In a technical guidance document titled “How to Protect Your Networks from Ransomware,” included in the “Dear Colleague” letter, prevention is considered the most effective defense. The guidance stressed that organizations needed to implement an awareness and training program, along with strong spam filters and anti-virus and anti-malware programs to scan emails. In addition, organizations should back up and ensure the security of data.

In instances where the preventive measures fail and a ransomware attack is successful, the guidance noted that organizations should isolate the infected systems as quickly as possible and immediately notify law enforcement. HHS, along with the Departments of Homeland Security and Justice, warned that paying a ransom may actually encourage the criminal enterprise. The Departments stressed that payment did not guarantee an organization would regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Some organizations, after paying, were reportedly targeted again by other cyberattacks.

Not a conventional breach

Representatives Ted W. Lieu (D-Calif) and Will Hurd (R-Texas) asked the HHS Office for Civil Rights (OCR) to focus on guidance development for health care providers to use when responding to ransomware attacks under the disclosure and reporting requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH) (P.L. 111-5) and Health Insurance Portability and Accountability Act (HIPAA) (104-191). The lawmakers also sought guidance on understanding and addressing the differences between ransomware and conventional hacking, noting that although ransomware qualified as a conventional breach, it should not be treated the same or subject to a similar risk assessment.

Unlike other cybersecurity threats, ransomware is particularly disruptive of day-to-day business functions. Ransomware generally executes itself as an encrypted lock around an entity’s servers, storage devices, applications, or files. In order to encrypt files, the ransomware disables access to particular functions, such as access to personal health records. The system access, from a technical standpoint, is a conventional data breach under 45 C.F.R. Sec. 164.402.

In a conventional breach of a health care provider, personal health information is viewed or stolen, infringing on the patient’s privacy rights. Ransomware, instead, denies access to health records of system functions and increases patient safety and service risks. The lawmakers highlighted a recent MedStar Health system ransomware breach which forced the health care provider to shut its computer network down and turn away patients.

The lawmakers suggested that patient notification of ransomware breaches only made sense when the attack resulted in either a denial of access to an electronic medical record or loss of functionality to provide medical services. However, rapid and mandatory notification of government agencies should be made, including information sharing, as soon as ransomware attacks are known. The lawmakers concluded by urging the OCR to include clear guidance related to data modification from ransomware attacks.