This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its “Cybersecurity Best Practices” report. For previous articles in the series, click here.
The report on cybersecurity best practices (Report) is not the first time HHS has discussed the prevalent issue of ransomware attacks on healthcare entities. In 2016, HHS issued its Ransomware Factsheet, which cited a 2016 U.S. government interagency report stating that in the first six months of 2016, there were an average of 4,000 ransomware attacks every day, a 300 percent increase from 2015, when the daily average was 1,000 attacks. While this figure was startling, perhaps the most impactful portion of the Factsheet was HHS’ position that “[w]hen [ePHI] is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired[,] and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” In other words, now that this guidance has been issued, covered entities are required to presume a ransomware incident is a breach unless the evidence demonstrates a low probability of compromise based on the HIPAA breach risk assessment factors, including specifically that the PHI was not actually viewed or acquired. The guidance expanded the four-factor risk assessment under HIPAA when ransomware is involved to include consideration of the availability and integrity of the data.
Considering the implications of HHS’ position on ransomware under the Ransomware Factsheet, the new report on best practices is a welcome road map on how covered entities of all sizes can better protect themselves against ransomware.
Starting with the basics: The Report defines ransomware as a type of malware that “attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.” Organizations will often discover that their systems have been impacted by ransomware in one of two ways: 1) Employees arrive to work one morning and report that they are unable to log in to their computers, which an IT investigation reveals is due to the encryption of files and data on workstations and/or servers, or 2) an employee reports receiving an email or pop-up on his or her screen that looks something like this:
Once they discover ransomware, many IT departments spring into action to determine whether sufficient backups exist to restore the encrypted files and avoid paying the ransom. Forensics should be brought in early in this process, before any systems are restored, to perform an analysis of how the ransomware was placed on the system. For healthcare entities, it is imperative to evaluate the ransomware and the method of execution to determine whether there is a low probability of compromise. If the server(s) or workstation(s) on which the ransomware was found is wiped before a forensic image is made, there may be insufficient evidence to make that determination, and notification of all individuals whose information was on the server will be required.
But what can entities do to avoid ransomware in the first place? In addition to the “quick tips,” the Report provides useful suggestions to combat ransomware attempts, depending on entity size, as discussed below. But regardless of size, the Report notes, most ransomware attacks are sent in phishing campaign emails asking the recipient to either open an attachment or click on an embedded link. We previously provided a breakdown of the Report’s recommendations about phishing emails here. In addition to those we previously discussed, the Report also provides these practical suggestions:
For Small, Medium and Large Entities
- Implement proven and tested response procedures when employees click on phishing emails. This can be accomplished by conducting phishing simulations, as described in the technical volume for small entities. These tests will provide entities with an understanding of how likely their workforce is to click on potentially malicious links (i.e., how many people actually click the link), and they can help organizations identify attacks that bypass established email security protections.
- Establish cyberthreat information sharing with other healthcare organizations. Sharing information about how an organization has been attacked with a group of its peers may seem risky. However, the Report points out that pursuant to Executive Order 13691, “when a member organization provides an information sharing and analysis organization (ISAO) with information about cyber-related breaches, interference, compromise, or incapacitation, the ISAO must: protect the individuals’ privacy and civil liberties, preserve business confidentiality, and safeguard the information being shared.” In other words, the ISAO shares information about the attack, not about the entity that reported the information. Receiving cyberintelligence through ISAO sharing can help entities increase safety precautions around emerging threats they otherwise would not be aware of.
For Medium and Large Entities
- Implement incident response plans to manage successful phishing attacks. For medium and large entities, the dedicated technical volume suggests using a Security Operation Center (SOC) to help manage phishing incident response. A SOC leverages cybersecurity frameworks, people, tools and processes to provide dedicated cybersecurity operations. Members of the SOC dedicate 100 percent of their time to cybersecurity prevention, detection and response capabilities, providing the execution arm of cybersecurity IR. The SOC is not a simple IT helpdesk. It is charged with applying consistent methods to execute response practices. The technical volume guidance suggests that SOCs and incident response teams should establish playbooks that describe existing detection mechanisms and the procedures to be followed if the mechanisms are triggered. Table 10 of the medium/large entity technical volume provides examples of plays that might be found in a playbook, including high-level details such as what the play seeks to accomplish and the types of source data that must be collected to successfully detect it.
For Large Entities
- Implement advanced technologies for detecting and testing email for malicious content or links. The medium/large entity technical volume provides some of the advanced, next-generation tooling that larger entities may consider.
- URL click protection via analytics. As previously discussed, phishing attacks attempt to obtain a user’s credentials. While the focus is often email credentials, some organizations allow remote access to their systems with the same set of credentials. Stopping the workforce’s ability to provide their credentials to hackers is an important preventive measure. Hackers often include links to websites they set up to appear like legitimate websites. At the time the emails go through an organization’s spam filter, there is nothing malicious about the website. However, as soon as the phishing emails are delivered, the hacker redirects the benign webpage to a malicious one. Filtering is bypassed, and now whether the phishing email will be successful depends on the workforce member. An organization using URL click protection via analytics points links to secure portals that apply analytics to determine the maliciousness of the request at the time of the click, rather than (or in addition to) at the time of delivery.
- Attachment sandboxing. Hackers also load ransomware into malicious attachments that, for various reasons, are able to circumvent an organization’s attachment scanning process. Organizations may consider utilizing attachment sandboxing, which requires attachments to be opened only in virtual environments once delivered. Sandboxing determines whether a file is malicious based on these behaviors, such as system calls, registry entry creation, file downloading and others, without it touching a device connected to the network. This thwarts the spread of the ransomware.
- Automatic response. Many organizations struggle with what to do after they’ve identified a phishing email in one user’s inbox, knowing that it exists in potentially hundreds of other email accounts across the workforce. To search mailbox by mailbox for the subject line and delivery date of the phishing email takes significant personnel hours. When using an automated response technology, the entity provides the signature (a sort of unique fingerprint) of the malicious email to the technology, which then goes hunting for the email through all user mailboxes, deleting it as it is found in order to prevent others from clicking on the link later. This is important because while the entity may update its firewall to prevent users from clicking on the link, users may access their email from a laptop off-campus and thus outside the protection of the firewall.
Additionally, entities of all sizes should engage with their internal or third-party IT providers to discuss how the entity’s network can be accessed remotely. We often see ransomware loaded onto a system after a hacker obtains remote access credentials, either through a phishing email or by brute force (where the hacker uses an automated tool to test common passwords against usernames). Requiring multifactor authentication to remotely access the network, restricting network access to only individuals with a demonstrated business need and/or prohibiting remote access from outside of the entity’s region can significantly decrease the likelihood of remote access by hackers with valid credentials.