The threat of ransomware attacks is on the rise in 2016. Ransomware itself has been around for decades and is constantly evolving. This presents a serious security challenge for both small and large businesses.

The good news is that larger companies are improving their security as they become more aware of the risk. But in an ironic twist, their improved security can be bad news for small or mid-sized businesses. With cyber criminals having less success with large targets, they are switching to companies with smaller security budgets and less experience protecting themselves from attacks.

Ransomware History Highlights

• 1989 – AIDS Trojan (a.k.a. PC Cyborg). This “generation one” ransomware was fairly easy to overcome as it simple cryptography and tools were quickly developed to decrypt affected files.
• 2006
  • Archiveus Trojan. This was the first ransomware to use RSA encryption. It encrypted all items in the MyDocuments directory. Victims were required to buy items from an online pharmacy in order to receive a password to regain access to their files.
  • GPcode Trojan. This spread via an email attachment which appeared to be a job application. It also used a more sophisticated encryption method.
• 2007 – WinLock. This did not use encryption. Instead, it locked out users while displaying pornographic images. It required users to send a $10 premium-rate SMS in order to receive a code to unlock their computers.
• 2008 – GPcode.AK virus. This was a variant of the GPcode trojan and used even more sophisticated encryption.

Explosive Growth of Ransomware

From 2012 until the present, there has been an explosion in the growth of ransomware. This was due in part to the use of anonymous payment services, which made collecting payments from victims much simpler for ransomware creators. Symantec’s Internet Security Threat Report from April 2016 show the alarmingly rapid increase in ransomware discoveries:

• 2012 – Reveton.
• 2013 – Urausy, Kovter, Nymaim, Cryptowall, Browlock.
• 2014 – Linkup, Slocker, CTB-Locker/Citron, Synolocker, Onion, TorrentLocker, Zerolocker, Coinvault, Virlock.
• 2015 – Cryptolocker2015, Symplocker, TeslaCrypt, BandarChor, Cryptvault, Tox, Troldesh, Pacman, Pclock, Threat Finder, Hidden Tear, ORX-Locker, Dumb, Encryptor RaaS, CryptoApp, LockDroid, LowLevel404, CryptInfinite, Unix.Ransomcrypt, Radamant, VaultCrypt, XRTN, Mabouia OSX POC, Power Worm, DMA-Locker, Gomasom, Chimera-Locker.
• 2016 (first quarter alone) – CryptoJocker, Nanolocker, LeChiffre, Magic, Ginx, 73v3n, Locky, Umbrecrypt, Hydracrypt, Vipasana, Hi Buddy, Job Cryptor, PayCrypt, and KeRanger.

How Can Smaller Companies Protect Themselves?

Since ransomware often blocks your access to your files, one of the best ways to protect your company is to make sure all of your data is properly and regularly backed up. At least one version of your backed up data will need to be stored in a system that is isolated from the rest of your systems. You don’t want your backups to be affected by the ransomware too!

You also need to make certain that your security patches and updates are deployed as soon as possible as these updates often involve security improvements to protect your company from known threats.

For companies without the same level of security resources available to them as larger companies, it’s also worthwhile to consider making use of companies such as Aperio–IT. We offer virtual CIO (Chief Information Officer) services, where we help you plan your IT strategy and budget.

Not every HIPAA security requirement is related to technology. Just two of the requirements to keep in mind when you work to make your company HIPAA compliant include Business Associate Agreements and Risk Assessment.

HIPAA Requirement for Business Associate Agreement

In addition to your IT department’s need to keep Protected Health Information (PHI) in electronic form secure, you need to consider issues not related to technology. For example, if a company you work with is considered a business associate under HIPAA, this means you must have a business associate agreement (BAA) in place with them before transmitting PHI to them. This BAA is a contract to uphold PHI security according to HIPAA guidelines. Failure to have the (BAA) in place at the proper time can result in fines and other penalties.

In a recent case, a surgical practice ended up having to settle with the Office of Civil Rights of the U.S. Department of Health and Human Services (OCR) for $750,000 after it improperly disclosed several thousand patients’ PHI to a service provider without first entering into a BAA with the service provider. This service provider had agreed to digitize x-rays containing PHI, in exchange for extracting and keeping the silver from the x-ray film. While this provider’s service might not appear at first glance to be related to health care, the fact that the x-rays contained PHI and the provider “created, received, maintained, or transmitted” the PHI without a BAA in place made all the difference in this case.

HIPAA Requirement for Risk Assessment

HIPAA requires all covered entities, their business associates, and subcontractors of business associates to conduct a risk assessment. As stated in HIPAA these entities must, “…implement policies and procedures to prevent, detect, contain, and correct security violations.” Further, a risk assessment is defined as a, “…thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”

In another case, a Minnesota–based health care company paid a $1.5 million settlement after one of its business associates was investigated. A laptop containing PHI for the health care company’s patients had been stolen from the car of one of the business associate’s employees. The health care company was penalized both because there was no BAA in place between it and its business associate, and because it had not conducted an adequate analysis to the security threats to the PHI.

HIPAA Audits, Phase 2 – Business Associates May Also Be Audited

As we mentioned in our recent post, “Is Your Business Affected by HIPAA Regulations,” the OCR launched Phase 2 of its HIPAA Audit Program on March 21, 2016. In this phase, any covered entity or business associate may be audited. Per the OCR, these audits can involve onsite assessments or desk audits.

Need to Learn More about HIPAA Compliance?

If you’d like to learn more about how HIPAA compliance may affect your business, Aperio-IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.

You can also take a look at our previous HIPAA-related posts:

• “What Does HIPAA Mean?”
• “What Does Your IT Team Need to Know about HIPAA Compliance?”
• “HIPAA Trends That Could Affect Your Business”
• “Is Your Business Affected by HIPAA Regulations?”

In the first part of this series, we discussed the recent increase in ransomware attacks on hospitals, what ransomware is, and what features of hospitals and healthcare organizations make them especially tempting targets. In this final part, we’ll look at what organizations can do to protect themselves and their patients or clients from these attacks.

How to prevent attacks – or at least minimize damage

A recent study by SailPoint on security practices within organizations takes the stand that organizations should assume that data breaches are now a matter of “when” rather than “if.” That is, a wise organization should focus not only on preventing data breaches, but also on recovering successfully from them when they inevitably occur.

Since many ransomware attackers gain access from successful phishing attempts, organizations still need to focus on educating their employees to identify phishing. This means continuing to teach users how to identify suspicious emails and share them with their IT teams so those IT teams can keep track of possible attacks.

Phishing is a specific type of social engineering attack in which confidential information is acquired by fraudulent methods. These attacks often attempt to acquire user names, passwords, or other information useful to hackers. In the case of ransomware attacks, hackers are generally attempting to get information that will allow them access to an organization’s systems.

Potential phishing attempts can be identified by educated users. For instance, they often make use of link shorteners or embedded links in an effort to create links that appear legitimate. Then after these links are clicked, they take victims to websites specifically created for fraudulent purposes.

Phishing attempts also frequently use threats to create a sense of urgency and fear so victims will hurry and not think carefully about the potential effects of their actions. Emails that threaten to cancel accounts immediately, etc., should be considered highly suspicious.

Some of the other measures suggested by the Department of Homeland Security include:

• Employing a data backup and recovery plan for all critical information.
• Using application whitelisting to help prevent malicious software and unapproved programs from running.
• Keeping operating systems and software up-to-date with the most recent patches.
• Maintaining up-to-date anti-virus software.
• Restricting user permissions to install and run software applications.
• Instructing users not to follow unsolicited web links in emails.
• Avoiding enabling macros from email attachments.

In the case of MedStar’s ransomware attack, data backups were a key part of their solution. The organization reported that they were able shut down their systems, isolating the damage, and later restore their data from backups without having to resort to paying a ransom.

Future security requirements and guidelines

It is possible that HIPAA requirements will be changed in the future in response to ransomware attacks. According to Bloomberg BNA, Rep. Ted Lieu (D-Calif.) is considering legislation “that would require hospitals and other health-care organizations to notify their patients when they’ve been the victim of a ransomware attack.” This would involve updating HIPAA’s current requirements regarding breach notification.

The FBI also offered guidance regarding the risks of ransomware in its podcast from May 25, 2016, “Ransomware on the Rise.”

Additional Links:

United States Computer Emergency Readiness Team, Alert TA16-091A: Ransomware and Recent Variants

Bloomberg BNA, Ted Lieu mulls ransomware attack requirements

A common question regarding HIPAA is whether a covered entity can be fined for violations of the HIPAA rules even if there is no breach of Protected Health Information. Worryingly, the answer is yes. So a clear understanding of the HIPAA rules is necessary to protect your company.

While HIPAA (the Health Insurance Privacy and Accountability Act) has many rules, when people speak of the “HIPAA Rules” they are usually referring to three primary sets of regulations. These “rules” lay out how covered entities are to handle PHI (Protected Health Information). The three main HIPAA Rules are:

• The Privacy Rule
• The Security Rule
• The Breach Notification Rule

The Privacy Rule

The Privacy Rule applies to PHI in any form, including oral, written, and electronic. Under the Privacy Rule, covered entities are responsible for making certain their employees (and business associates) use and/or disclose PHI only for authorized purposes. This means employers must keep their workforce trained to recognize what data is considered PHI and how to handle it appropriately.

Under this rule, covered entities are also responsible for making certain that only as much PHI as is necessary for a given purpose is disclosed. That is, the rule means it is not appropriate to just share entire medical records; only the portion of a record that is necessary for a given task is appropriate to share.

Other areas covered by the Privacy Rule include requirements for Business Associate Agreements (BAAs) with covered entities’ customers, vendors, and partners; standards to de-identification of Protected Health Information (that is, what kinds of information need to be removed from PHI in order to make it appropriate to share); specifications of patients’ rights to their own PHI; and requirements for covered entities to designate a privacy officer, publishing of privacy practices, and more.

The Security Rule

Unlike the Privacy Rule, the Security Rule applies only to electronic PHI. It delineates requirements for administrative, physical, and technical safeguards of electronic PHI and requires publication of documentation that describes the policies and procedures covered entities employ regarding those safeguards.

The Security Rule also specifies how long a covered entity must retain documentation of their Security Rule compliance.

The Breach Notification Rule

The Breach Notification Rule defines a reportable HIPAA breach, states what covered entities must do in case of such a breach, who they must notify, and how soon they must notify them.

This rule also states under what circumstances unauthorized access to encrypted PHI may not be considered a reportable breach.

Ready to Learn More about HIPAA Compliance?

If you’d like to learn more about how HIPAA compliance, Aperio IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.

You can also take a look at our recent HIPAA-related posts:

• “HIPAA Trends That Could Affect Your Business”
• “Is Your Business Affected by HIPAA Regulations?”

SOX Compliance in Recent News

Although the Sarbanes-Oxley Act has been around since 2002, compliance remains a challenge. In a recent example, a Forbes article from this month explores reasons for Plantronics’ under-performance in the stock market and brings up concerns that Plantronics may be facing a Sarbanes-Oxley violation. The article mentions that the senior vice president of sales at Plantronics, “…was instructing employees who worked under him to delete e-mails that were clearly relevant and responsive to pending discovery having to do with the distributors that are at issue in this case.”

In our last several posts we’ve focused on HIPAA compliance. But of course HIPAA is only one of several areas companies need to keep in mind when it comes to compliance issues. Here’s a quick refresher on the Sarbanes-Oxley Act.

Intent of the Sarbanes-Oxley Act

The intent of the Sarbanes-Oxley Act (also known as Sarbox or SOX) was to protect investors by improving the reliability and accuracy of corporate disclosures. It was enacted in 2002 and while it applies primarily to public companies, the act also contains provisions for private companies. The provisions have to do with the willful destruction of evidence to impede a Federal investigation.

A major feature of the SOX Act is that it is designed to specify financial reporting responsibilities. This means that it should no longer be possible for CEOs and CFOs to claim that ignorance of financial issues means that they should not be held accountable for the accuracy of financial statements.

As a result of the SOX Act, leaders of an organization are held legally responsible for SOX compliance, facing possible monetary fines and imprisonment (up to twenty years) for failure to comply. Thus, even if a company’s IT department prepares SOX audit statements, those statements will need to be certified by the CEO.

What are some of the ways SOX Compliance has affected companies since SOX was enacted?

• Stronger audit committees and public companies, due to the act’s requirement that the audit committee members must be independent of top management.
• Increased costs, especially due to Section 404 of the act. This section requires extensive internal control tests and reporting. As a result of these costs, many companies have seen a need to focus on making their financial reporting more efficient.
• Strengthened public disclosure requirements.
• Stricter penalties for obstructing justice and for securities fraud.

What are the main IT concerns regarding SOX Compliance?

Most aspects of IT are affected by SOX compliance. SOX regulations mean that audit trails must be retained and auditable for five years. Any IT operation that involves financial data or activity may be affected. All forms of communication regarding finance and accounting must be tracked and archived in case of compliance audits.

What kinds of information does IT need to store with regard to SOX compliance, and how?

Generally speaking, all emails, spreadsheets, and documents used to arrive at final financial conclusions. For a more complete breakdown, see our post “What Does Your IT Team Need to Know about SOX Compliance.”

Learn more about the SOX Act:

• Basics of the SOX Act – SOX–Online
• Information on the Sarbanes–Oxley Act at the Securities and Exchange Commission’s (SEC’s) website.

Our previous posts regarding SOX Compliance:

• Making Sure Your Company Is SOX Compliant
• What Does Your IT Team Need to Know about SOX Compliance