There have been 4,000 ransomware attacks per day since the beginning of this year, according to the 2016 federal interagency report. The Health and Human Services (HHS) Office for Civil Rights (OCR) believes that the secret to preventing and detecting these attacks at hospitals is to follow HIPAA guidelines.
Ransomware attacks that affect protected health information such as EHRs are HIPAA violations. Depending on the severity, it can result in fines of up to $1.5 million per year, according to the American Medical Association.
The HIPAA Security Rule requires organizations to implement security measures that help prevent ransomware attacks. HHS OCR’s Ransomware and HIPAA report states that hospitals should have a security management process in place to conduct a risk analysis and then remediate the risks.
The report also recommends that hospitals follow procedures that guard against and detect malicious software, train users on malicious software protection, and enforce access controls so only certain people or software programs can gain access.
The HIPAA Security Rule also requires covered entities and business associations to have policies and procedures that help an organization when responding to and recovering from a ransomware attack.
Since ransomware denies the user access to data, the organization should regularly back up its data and test to make sure it can be recovered. Some ransomware variants can remove or disrupt online backups, so the organizations should maintain the backups offline and make them unavailable from its networks.
The cybersecurity firm, HITRUST, conducted a survey among 30 mid-sized hospitals and found that half had contended with a ransomware attack. The trend is likely to continue because of the profitability for cyber criminals, according to an article in The Journal of American Health Information Management Association.
Published reports revealed that the current value of a patient record on the black market is $20 to $60. The data, which includes bank information, social security numbers and health insurance credentials, can be used for extortion, identity theft and medical insurance theft.
According to a statement from the Association for the Advancement of Medical Instrumentation (AAMI), Axel Wirth, a technical architect at Symantec, doesn’t recommend paying the ransom to get access to the locked files. He said that it encourages the practice, doesn’t guarantee the release of the files and could lead to further attempts at extortion.
The attacks can start when someone in the organization opens an infected email attachment or clicks on a web link that gives the attacker access to the network, but insecure medical devices can also be to blame. Organizations are now depending on manufacturers to better the security of their products.
AAMI’s recently released a standard that provides the medical device manufacturers with a framework to address cybersecurity threats when developing their products.
