July 5th saw a major attack on Managed Service Providers (MSPs), including Kaseya services. MSPs like Kesaya often offer their cloud-based services to several clients in multiple sectors, and Kesaya is no exception. In fact, Kesaya offers specific managed IT resources for healthcare clients, although no information has been released about any affected organizations.
The combination of increased reliance on MSPs and the sensitive nature of healthcare providers make ransomware attacks a real threat, one that your dedicated IT team must consider as part of your cybersecurity and compliance strategy.
What is Ransomware?
In simplest terms, ransomware is malicious software injected into a computer or network of devices. Much like any piece of malware, ransomware operates by manipulating files in the system to hide operations while controlling that system.
What makes ransomware unique is that its primary mode of attack is to seize control of data in the system, either by targeting specific directories or attacking the entire filesystem. It then encrypts all the affected data within that file system with high-level encryption.
Following that, the hacker can use the ransomware and the stolen data as a lever to demand a ransom: money in exchange for the decryption key. Some hackers will go the extra mile and create copies of all files and data from the compromised system and threaten to release that data to the public.
Ransomware and HIPAA
Obviously, this situation poses a problem for organizations managing Personal Health Information (PHI).
HIPAA dictates that any organization that touches PHI, including vendors and payment processors, must adhere to regulations. These include:
- Suitably encrypting and protecting the integrity and confidentiality of all PHI.
- Maintaining systems that can protect PHI against theft or destruction, including harm caused to patients due to the loss of personal information.
- Notifying patients and, in many cases, government officials in the Department of Health and Human Services (HHS) and the local media about the breach.
With those requirements in mind, a ransomware breach triggers several requirements for the healthcare organization under HIPAA regulations.
- Under the Security Rule, Covered Entities and Business Associates must implement policies and procedures to protect against ransomware and to remediate their systems in the event of a breach that results in ransomware infections.
- This rule also calls for organizations to have ways to recover from ransomware attacks, including restorations from secure backups.
- Additional recovery plans required under the Security Rule are disaster recovery, analyzing the criticality of any system beforehand to determine protections against ransomware and creating and testing contingency plans in the event of a breach.
With these steps in mind, HIPAA dictates that a company should be able to perform the following steps in the face of a ransomware attack as part of their security incident response:
- Analyze the ransomware
- Contain the propagation of the ransomware
- Eliminate ransomware that remains in your system
- Remediate vulnerabilities exposed by the ransomware
- Restore lost or compromised data and return to “business as usual” operations
- Conduct deeper cause analysis of the incident and mobilize any further remediation
The Importance of Disaster Recovery and Backups for HIPAA Compliance
It’s important to stress the necessity of emergency recovery and backups for combating ransomware.
The key attack vector of ransomware is how it blocks access to patient data. When the attacker encrypts that data, they effectively hold the key to it–if you don’t have the decryption key, then you aren’t going to get that data again (as most attacks use high-complexity encryption). More importantly, you’ll find that if your attacker deletes that key, then any encrypted data is effectively lost.
With proper backups, you avoid this issue entirely. That doesn’t mean that you’re off the hook for the attack. HIPAA states that organizations impacted by a breach must address attacks and notify the public. More concretely, the Breach Notification Rule outlines the measures you’ll take in a breach, including notifying affected patients, publicly addressing the breach in public media (including TV and Internet) and reporting the loss to the Department of Health and Human Services.
With a ransomware attack, however, you face the additional problem of data loss, a problem that disaster recovery tied to data backups can mitigate.
A business continuity plan for preparing for ransomware attacks should include:
- Maintain up-to-date cloud backups in secure environments, ideally in high-performance infrastructure so that you can recover quickly.
- Conduct regular tests of your backup system to determine integrity and security.
- Consider redundant backups containing cloud and offline backups for maximum coverage.
- Determine the policies and procedures needed to recover data from backups and implement required training to execute those procedures.
- Create a continuity plan that contains procedures for responding to the attack, including steps to get back to operating status as quickly as possible.
- Work with a security partner to help with compliance of both main IT systems and backup systems, including continuous monitoring of those systems and any remediation needed.
Maintain HIPAA Compliance and High-Level Cybersecurity with Lazarus Alliance
HIPAA is complex, and cyber-attacks are constantly evolving to exploit vulnerabilities in healthcare systems. Ransomware is only one of the latest of these attacks.
With that in mind, it’s important to understand the importance of rigorous compliance audits. Not only will these audits help you prepare your systems for attacks through best security practices, but they will also help you avoid penalties for non-compliance. HIPAA ranks penalties by tiers related to the severity of the root cause of a breach. If you are making appropriate efforts to mitigate security problems, the impact of a breach will be much less than if you are not taking your compliance seriously.
If you are a company worried about ransomware in the healthcare space, call 1-888-896-7580 to discuss your organization’s compliance needs.