Don’t get held for ransom!
The news is currently saturated with talk of the WannaCry/WannaCrypt ransomware virus that infected systems across the globe. So, what is ransomware?
Ransomware is a type of malicious software that blocks access to the data on your computer until a fee is paid to the attacker (hence the “ransom”). The most advanced versions of the software can lock up your entire computer until a bitcoin ransom is paid. With little warning, and almost no way around the attack, victims sometimes pay large sums of money to regain access to their data.
For healthcare and associated organizations, it is especially dangerous because a successful ransomware infection of a system that has access to, or stores electronic protected health information (ePHI) is also a major breach of HIPAA compliance. The following excerpt from the Health and Human Services website (emphasis mine) can shed some light:
Q: Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
A: Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
After a 22-year-old wunderkind managed to thwart last week’s global attack by registering an embedded domain, he warned that the software only needed to be modified before it would be ready to be relaunched. Ransomware attacks are likely only going to increase, therefore proactive steps to protect your network are essential. Make sure you know what security your IT system requires to keep you from being held hostage! We can assess your network and strengthen its defenses against these types of attacks. Even if you escaped unscathed this time, don’t risk getting caught up in the next ransom!