By:
David Barmak, Esq.
The growing number of ransomware campaigns targeting healthcare organizations has motivated the Office of the National Coordinator (ONC) to publish preparedness recommendations. Consequently, healthcare organizations are endeavoring to examine and address their entity’s cyber risk and ensuring that they are in compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Performing a security risk analysis is the first step an organization needs to undertake in the development of a cybersecurity preparedness program. The Office of the National Coordinator for Health Information Technology (ONC), in connection with the HHS Office for Civil Rights and the HHH Office of the General Counsel, has developed a downloadable Security Risk Assessment Tool to assist with the security risk analysis process. This tool will run on several different environments including Windows’ OS for desktop and laptops and Apple’s IOS for iPad. More information can be found at HealthIT.gov.
The results obtained from an organization’s security risk analysis must be included in processes that are implemented to reduce the weaknesses and threats that might compromise the confidentiality of ePHI’s within an organization’s computer system.
The impact of cyber-attacks can lead to an organization’s involvement in litigation and class action suits, and can include significant financial penalties. An example of those financial implications are two very large penalties-$5.55 million in 2016 and $5.5 in 2017 issued by the Office for Civil Rights (OCR).
Here are seven best practice processes that a healthcare organization might find useful in complying with the HIPAA Security Rule and developing associated cybersecurity programs:
Evaluate the existing security risk analysis (Security Risk Assessment Tool).
For Example, look closely at ways for improving security risk documentation.
Analyze risk management plans to make sure that the plans include measures to reduce risks and liabilities.
Compare HIPAA and cyber-related protocol with best practice models.
Create security incident response plans based on HIPAA and other applicable laws that provide the guidelines to respond to a data breach like-Contain, Respond and Restore.
Contain: Employ consulting firm that specializes in ransomware attacks Interview suspected personnel. Issue a warning of the threat.
Respond: Identify/Isolate involved systems. Disconnect shared network drives
Respond: Suspend scheduled backups of infected systems.
Restore: Confirm that anti-virus and security software is updated Restore systems from data backup, but make sure ransomware did not have a time- delayed trigger.
Evaluate sellers’ programs to make sure they have secure controls in place.
Hold mock exercises to demonstrate how well the organization performs.
Review and communicate with personnel the contents of cyber insurance policies.
Developing a pro-active rather than a re-active strategy and staying on top of product patching can be a serious deterrent to ransomware campaigns. An example of the effectiveness of maintaining up-to-date products became evident in the Microsoft Windows patches that were provided last year in March. The organizations that applied the updated patches were not vulnerable to the “WannaCry” ransomware that affected many organizations.
Although there are a number of ways that an organization can mitigate the risk involved in a ransomware attack, there are no 100 % impenetrable security systems. Just like firemen rush to douse a blazing fire, organizations should promptly implement their security response plan.
