Ransomware has received unprecedented popularity, and healthcare organizations are ripe targets . Criminals know it. In just a few short years, Ransomware has dominated the market, prompting a response from the federal government last week.
Ransomware attacks have risen from 1,000 attacks a day in 2015, the same time this year attacks rose to a staggering 4,000 attacks a day. Many of these attacks have small price tags, but targeting larger institutions has been a common occurrence of late. Take for example the highly published incident where the Hollywood Presbyterian Medical Center forked over $17,000 to regain access to its systems.
The U.S. Health and Human Services Department’s Office for Civil Rights, which enforces compliance with Health Insurance Portability and Accountability Act, better known as “HIPAA,” released new guidance for healthcare organizations on ransomware. The guidelines include:
- Conduct a risk analysis to identify threats and vulnerabilities to electronic protected health information, and establish a plan to mitigate or mediate those identified risks;
- Implement procedures to safeguard against malicious software;
- Train authorized users on detecting malicious software and report such detection;
- Limit access to ePHI to only those persons or software programs requiring access; and
- Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups and testing of restorations.
Response plan
Clarification of what an organization must do following a ransomware attack is spelled out throughout the guidance. Generally larger companies already have plans in place in the event of these contingencies, making these guidelines a resource for smaller businesses.
Many small businesses are unaware of the steps they are required to take following a ransomware attack. Chances are that if you have been infected by ransomware, you MUST report the breach unless there are a few mitigating circumstances. If ransomware gains access to PHI (protected health information) or personal information of consumers its almost a certainty that you will have to report it.
Guidelines like this are great, they can inform business owners on proper precautions and steps to take in avoiding and handling a breach.
But ultimately there is no cure for bad clicks, every user of a business’s network must be vigilant against phisher emails or other potential breaches.