Ghost in the Machine: Ransomware’s Impact on HIPAA Compliance
Ghost in the Machine:Ransomware’s Impact on HIPAA
Compliance
Enter the Ghost: Ransomware Hits the System
An employee opens a suspicious email, an individual visits an infected website, or some other event
Suddenly an error message pops up:
What should you do?
What is the HIPAA impact?
Image from https://www.fireeye.com/blog/threat-research/2015/05/teslacrypt_followin.html
Response to Ransomware:
Panic?
Practical Issues:1. Should the ransom be paid?2. Are files completely locked down?3. What files can be recovered?4. What does this mean for the IT system?5. What will the public think?
HIPAA Expectations:1. Is it a breach?
a) Presumption is yes2. Must perform risk assessment
a) Outcome determine who, if anyone, needs be notified
Image from http://www.catherinecavendish.com/2014/08/a-ghost-in-machine.html
HIPAA and Ransomware Response
• Preparation should begin before ransomware strikes• Ransomware provides basis to spur/encourage evaluation• Regulations provide basis for plan of attack
Image from ww.foxgrp.com/blog/ransomware
How to Prepare
Remember what good HIPAA Security Compliance starts with:• Risk Analysis
o Sets baseline for protections to put into placeo Reveals full scope of weaknesses, vulnerabilities, likelihood of
threats and moreo Build complete plan from here
Image from http://it.toolbox.com/blogs/data-protection/hipaa-security-risk-analysis-tips-get-er-done-52848
Key Elements of HIPAA Security Rule
Certain Security Rule Policies more can help mitigate ransomware risk• Access Authorization (42 CFR § 164.308(a)(4)(ii)(B))• Protection from Malicious Software (42 CFR § 164.308(a)(5)(ii)(B)• Contingency Plan (42 CFR § 164.308(a)(7))
• Includes: (i) Data Backup Plan, (ii) Disaster Recovery Plan, and (iii) Emergency Mode Operation Plan
• Encryption (42 CFR § 164.312(e)(2)(ii)
What Does Security Rule Compliance Accomplish?
Creates foundation to build enterprise security upon
Encourages atmosphere of attention to risks
Requires planning for system disruption
Educates and trains workforce to detect and mitigate
Focus on preparationImage from http://kraasecurity.com/
When an Attack Occurs: How Respond
Go to Breach Notification Rule under HIPAA:1. OCR considers it a per se “breach”
a) Blocking access/control considered unauthorized access2. Must determine if it is actually a “breach”3. Rule creates presumption of breach4. UNLESS, low probability of compromise
a) Determination requires risk assessment
Image from http://www.druva.com/blog/how-to-undo-the-voodoo-of-a-ransomware-attack/
What Goes into Risk Assessment
Case by case assessment1. Very factual2. Need dive into details3. Forensic analysis may be necessary
Elements are:1. Nature and extent of PHI involved;2. Unauthorized person who used or to whom disclosure made;3. Whether PHI actually acquired or views; and4. Extent to which risk mitigated.
Putting It All Together
Good processes will:1. Create nimble system that cannot be taken down by a singular
event2. Prime individuals on different organizational levels to detect,
respond and mitigate3. Raise awareness and sensitivity to ransomware4. Test and re-evaluate policies/procedures
Image from http://blogs.systweak.com/2016/04/how-to-prevent-and-protect-against-ransomware-attack/
Ransomware Response Processes
Ransomware response may include processes to:1. Detect and perform initial analysis of ransomware;2. Contain impact and spread of ransomware;3. Eradicate ransomware infecting system;4. Address vulnerabilities that lead to ransomware exposure;5. Restore lost data and return to normal operations;6. Conduct post-incident analyses to determine obligations arising
from incident including regulatory, contractual or other
Impact on HIPAA Policies and Procedures
Must do risk analysis at least annually1. Provides basis to identify new risks2. Take changes into account3. Recognize evolving threats and how each can exploit vulnerabilities
differentlyUpdate policies and procedures regularly
1. Do not assume or treat as a “one and done” process2. Factor in results of ongoing risk analyses
Include in required training
Going Beyond HIPAA
HIPAA only provides ground level security requirements
Strong protection will go above and beyond HIPAA baseline
Look to NIST, best practices and more
Industry threat and information sharing
What Does it All Come Down to?
A ransomware attack will occur and PHI will be locked down and/or accessed
Healthcare organizations must bounce back and quickly
Must be prepared and ready to act
Number of records breached per month in 2016Data from Protenus
Matthew Fisher, Esq.Mirick O’Connell
@matt_r_fisher