The Health and Human Services (HHS) department has released new guidance clarifying the responsibilities of healthcare organizations following a ransomware infection. In brief they must treat ransomware infections like a breach in most cases.
The critical part in this guidance from HHS is that ransomware infection “usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule.” The guide also adds that “entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media.”
Ransomware is a disturbing and very real malware threat targeting companies of all types and sizes. A recent U.S. Government interagency report counts 4,000 daily strikes. This is up from the 1,000 attacks per day seen in 2015. GCS has experienced at least a 4x increase in attacks in 2016 over 2015.
The only assistance offered in this HHS report is focused on the basics – good backups, user training, anti-virus/anti-malware tools, limited access and updated risk analysis.
- Good Backup: A backup system that maintains multiple, complete copies of all data including operating systems, applications, databases and files. These must be stored offsite and onsite.
- User Training: Security training is a must for all organizations. This can be done on the web cost effectively.
- Anti-Virus/Anti-malware: Few healthcare organizations are not currently covered by some anti-virus software, but few ransomware infections are caught by anti-virus. This is mostly an ineffective strategy.
- Risk Analysis: Most organizations have completed a HIPAA risk analysis but substantial changes, including the threats posed by ransomware, demand a reassessment. What was good enough last year is probably not enough this year.
For a technical, step-by-step guide to recovering from ransomware, see here: https://www.gcstechnologies.com/what-you-should-do-when-ransomware-attacks