Research topic for approval
abhilash tati
Significant_Increase_in_Ransom.pdf
Volume 37 • Number 6 • June 2020 The Computer & Internet Lawyer • 3
Ransomware
Significant Increase in Ransomware Attacks on Healthcare Industry – OCR Offers Guidance By Michael G. Morgan, Edward G. Zacharias, and Deepali Doddi
An alarming number of ransomware attacks recently have targeted and disrupted the U.S. healthcare industry. Many of the attacks involve a sophisticated and destructive strain of malware called Ryuk.
Ransomware attacks can prevent healthcare provid- ers – ranging from large health systems to small med- ical practices – from accessing critical data needed to treat patients and maintain normal business operations. Consequently, ransomware attacks can have potentially devastating effects on patient safety and cause financial and reputational damage to afflicted healthcare provid- ers. Healthcare providers should ensure that their infor- mation security teams are well positioned to protect and defend their organizations against such attacks.
What Is a Ransomware Attack? Cyber-attackers use ransomware, a type of malware
(that is, malicious software), in an attempt to extort an organization by freezing access to its own data. Typically, ransomware locks down electronic data files by encrypt- ing them with a decryption key known only to the attacker. The attacker then demands the organization pay a ransom in exchange for the decryption key.
Ransomware often enters an organization when a user clicks a malicious link or downloads an infected file. According to the US Computer Emergency Readiness Team (“US-CERT”), ransomware “typically spreads through phishing emails or by unknowingly visiting an infected website.”1
It can be challenging for an organization to detect ransomware when it is initially deployed on its infor- mation systems. In fact, the United Kingdom’s National Cyber Security Centre (“NCSC”) issued an alert2 on June 22, 2019, advising that Ryuk, in particular, “is often not observed until a period of time after the ini- tial infection – ranging from days to months – which allows the actor to carry out reconnaissance inside an
infected network, identifying and targeting critical net- work systems and therefore maximizing the impact of the attack.”
Ransomware attacks can cause an intense level of dis- ruption to a healthcare provider’s operations that rely on its information systems. Without access to patients’ electronic medical records, healthcare providers may be forced to delay or cancel patient appointments and pro- cedures, potentially endangering the patients’ safety. A ransomware attack can also cripple a healthcare provid- er’s revenue cycle management processes and prevent the provider from timely capturing revenue.
Moreover, a healthcare provider may need to expend a significant amount of effort and coordination with internal stakeholders, including its:
• Information security, IT, legal department and senior executives;
• External advisors, consultants, forensics vendors, and outside legal counsel; and
• Law enforcement agencies.
Even healthcare providers with sophisticated data backup and disaster recovery processes may be com- pelled to pay a ransom to the cyber-attacker to obtain a decryption key because doing so can be more expedi- ent and less resource intensive than restoring the patient data from backups.
For these reasons, healthcare providers can face tre- mendous pressure to negotiate and pay a ransom in order to resume providing vital patient services, notwithstand- ing the FBI’s warning3 that there is no guarantee that a criminal attacker will in fact provide a decryption key that will enable full restoration of the encrypted data after receiving a ransom payment.
OCR’s Cybersecurity Newsletter on Ransomware
In a cybersecurity newsletter,4 the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), addresses the recent onslaught of targeted ransomware attacks against healthcare entities. The
Michael G. Morgan is a partner in the Los Angeles office of McDermott, Will & Emery. Edward G. Zacharias is a partner in the firm’s Boston office. Deepali Doddi is an associate in the firm’s Chicago office. The authors may be contacted at mmorgan@mwe. com, [email protected], and [email protected], respectively.
Ransomware
4 • The Computer & Internet Lawyer Volume 37 • Number 6 • June 2020
newsletter supplements previously issued guidance by OCR on ransomware events, including OCR’s “2016 Fact Sheet: Ransomware and HIPAA.”5
OCR cautions that “ransomware attacks often occur after prior instances of unauthorized access and malware infection.”
For example, cyber-attackers will frequently launch a ransomware attack only after successfully exploiting an organization’s lapses in security controls to gain privi- leged access to its information systems.
OCR observes that by appropriately implementing the Security Rule, HIPAA-covered entities and their business associates will be well situated to prevent and respond to ransomware attacks.
In particular, OCR highlights compliance with the following Security Rule provisions as instrumental to a HIPAA-regulated entity’s ransomware prevention, miti- gation and recovery efforts:
1. Risk Analysis and Risk Management. The Security Rule requires HIPAA-regulated entities to perform an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, avail- ability and integrity of electronic PHI (“ePHI”) and reduce any identified risks to reasonable and appro- priate levels.6
OCR observes that “identifying and addressing technical vulnerabilities within information systems and information technology infrastructure” through the risk analysis and risk management process is an important step in the prevention of ransomware attacks. Successful ransomware attacks will often exploit technical vulnerabilities, such as outdated or unpatched software, unsecured ports, inadequate access controls and user authentication mechanisms, and the absence of anti-malware software solutions.
2. Information System Activity Review. In the event that ransomware enters an organization, OCR finds that “effective system and monitoring and review will be critical to detecting and containing” the ransomware attack. The Security Rule requires HIPAA-regulated entities to maintain and regularly review records of information system activity, such as audit logs and access reports.7 OCR states that regular review of information system activity records can facilitate the identification of anomalous activity associated with a ransomware attack, such as suspicious activity per- formed by a user account with elevated privileges.
3. Security Awareness and Training. OCR warns that “information system users remain one of the weakest
links in an organization’s security posture.” For this reason, it is crucial for HIPAA-regulated entities to sufficiently train workforce members on their poli- cies and procedures for complying with the Security Rule, as well as administer ongoing security aware- ness reminders and programs.8
For example, HIPAA-regulated entities might consider holding training sessions focused on social engineering, educating workforce members about identifying and reporting suspicious sys- tem activity, and conducting phishing simulation exercises.
4. Security Incident Procedures. The Security Rule requires HIPAA-regulated entities to maintain written pro- cedures for identifying and responding to security incidents involving ePHI.9 Because an “organiza- tion’s incident response procedures can greatly limit the damage caused by a ransomware attack,” OCR recommends that HIPAA-regulated entities specif- ically address ways to mitigate and respond to ran- somware attacks in their written security incident procedures.
OCR also suggests that entities periodically test their security incident procedures to promote their continued effectiveness.
5. Contingency Plan. Under the Security Rule, HIPAA- regulated entities must document and test a contin- gency plan that establishes strategies for recovering access to ePHI in the event of an emergency, nat- ural disaster or other disruption to information systems.10 Data backup and disaster recovery proce- dures are key elements of a Security Rule contin- gency plan.
Because the availability and integrity of ePHI is of utmost importance to patient health and safety, OCR recommends continually backing up ePHI and ensuring that the ePHI can be restored from up-to-date, accurate backups if a ransomware attack occurs.
Notably, OCR advises that backups of ePHI may also be susceptible to ransomware, and that “threat actors have recently been actively targeting backup systems and backup data to prevent recovery.”
Accordingly, organizations should consider main- taining offline backups of ePHI that are discon- nected from their networks.
Ransomware
Volume 37 • Number 6 • June 2020 The Computer & Internet Lawyer • 5
Notes
1. https://www.us-cert.gov/Ransomware.
2. National Cyber Security Centre, “Ryuk ransomware targeting organisations globally,” available at https://www.ncsc.gov.uk/news/ ryuk-advisory.
3. FBI, “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations,” available at https://www.ic3.gov/ media/2019/191002.aspx.
4. https://www.hhs.gov/hipaa/for-professionals/security/guidance/ cybersecurity-newsletter-fall-2019/index.html.
5. https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
6. See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.308(a)(1)(ii)(B).
7. See 45 C.F.R. § 164.308(a)(1)(ii)(D).
8. See 45 C.F.R. § 164.308(a)(5).
9. See 45 C.F.R. § 164.308(a)(6).
10. See 45 C.F.R. § 164.308(a)(7).
Reproduced with permission of copyright owner. Further reproduction prohibited without permission.
