The U.S. Department of Health and Human Services’ Office for Civil Rights has published a video to help healthcare organizations prevent ransomware attacks by adhering to HIPAA Security Rule standards and improving cybersecurity practices.
What happened
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has released a video guiding HIPAA-regulated entities on ransomware prevention and compliance with the HIPAA Security Rule. The video, published as part of National Cybersecurity Awareness Month, seeks to raise awareness about ransomware threats and emphasize how adhering to HIPAA’s security provisions can significantly help mitigate the risks and impact of such attacks.
See also: HIPAA Compliant Email: The Definitive Guide
Going deeper
Ransomware attacks have surged dramatically in recent years. According to Nick Heesters, OCR’s senior advisor for cybersecurity, there has been a 102% increase in ransomware incidents targeting HIPAA-regulated entities from 2019 to 2023. OCR has identified numerous trends related to these attacks, partly through its investigations into large data breaches:
- Some entities were found to be only partially compliant with HIPAA regulations, with insufficient measures to detect and prevent attacks or to contain them once they occurred.
- One case involved a covered entity that implemented a Security information and event management (SIEM) system. The system identified suspicious activity and sent alerts via email, but the designated team member had already left the organization, and the alerts went unchecked. Such lapses allowed ransomware attackers to exploit vulnerabilities undetected for weeks or months.
- A lack of security awareness training, failure to encrypt sensitive patient information, and inadequate backup strategies are frequent gaps in cybersecurity.
- For instance, many organizations failed to use the recommended 3-2-1 backup approach, which could have minimized damage and sped up recovery following a ransomware attack.
Summary of key points
Increase in large breaches
- From 2018 to 2023, large breaches reported to OCR increased by 102%.
- In 2023, 744 large breaches were reported, affecting 160 million people, a 950% increase from 2018.
Hacking and IT incidents
- 89% increase in large breaches related to hacking/IT incidents (2019-2023).
- Ransomware attacks rose by 102% in the same period.
OCR ransomware guidance
- Since 2016, OCR has provided resources on ransomware, prevention, detection, and reporting.
- Ransomware encrypts PHI, qualifying as a breach under HIPAA rules.
Breach risk assessment
- To avoid reporting, organizations must prove a low probability of PHI compromise through a 4-factor risk assessment.
- Thorough documentation is required to support this assessment.
Types of ransomware
- Crypto ransomware: Encrypts data, demanding ransom for a decryption key.
- Locker malware: Locks users out of their systems.
- Scareware: Trickware that claims infection but causes no damage.
- Doxware/Leakware: Exfiltrates data for publication or ransom.
Prevention
- Training on social engineering and phishing is crucial, alongside simulated phishing tests.
- Organizations must patch vulnerabilities and manage risks using tools like vulnerability scanning and penetration testing.
Multi-factor authentication (MFA)
- Over 80% of cyberattacks involve compromised credentials.
- Using MFA (e.g., password + fingerprint) is vital to prevent unauthorized access.
Access controls
- Effective access controls (role-based, user-based, attribute-based) can prevent or impede attackers. Controls extend to networks through segmentation, firewalls, and network access control.
- Privileged Access Management (PAM) tools can limit access to privileged accounts to enhance security against cyber-attacks.
Access control failures: Weak access controls combined with poor authentication can lead to breaches. Common issues include excessive admin privileges and weak authentication practices.
Read also: Access control systems in healthcare for comprehensive security
System logs
- Log files (anti-malware, firewall, system logs) help in tracking cyber-attacks. Regular review and secure backup of logs are essential as attackers often target these logs.
Resources
- HHS offers resources such as the Healthcare and Public Health Cybersecurity Performance Goals, Health Industry Cybersecurity Practices, and the Security Risk Assessment Tool.
- OCR’s Cybersecurity Newsletters: Guide various cybersecurity topics related to HIPAA, including access controls, incident response, and defending against cyber-attacks
Read also: Cybersecurity insights and trends for 2024
Why it matters
The release of this guidance by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) acts as a measure to help HIPAA-regulated entities understand the growing threat of ransomware and demonstrate how compliance with the HIPAA Security Rule can mitigate risks.
With ransomware attacks increasing dramatically in the healthcare sector, this guidance educates organizations on preventing, detecting, and responding to attacks, emphasizing the need for strong cybersecurity measures to protect patient data and avoid breaches that could lead to financial penalties and reputational damage.
FAQs
What is ransomware?
Ransomware is a type of malicious software that encrypts an organization’s data, making it inaccessible until a ransom is paid to the attackers. It often targets critical systems, such as those in healthcare, to cause disruption and extract payments.
Why is ransomware a major concern for healthcare organizations?
Healthcare organizations store sensitive patient information, making them attractive targets for ransomware attacks. A successful attack can lead to operational disruptions, data breaches, and significant financial and reputational harm.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that sets national standards for the protection of sensitive patient information, specifically addressing how healthcare entities must secure health data.
Go deeper: What is HIPAA?