In the first part of this series, we discussed the recent increase in ransomware attacks on hospitals, what ransomware is, and what features of hospitals and healthcare organizations make them especially tempting targets. In this final part, we’ll look at what organizations can do to protect themselves and their patients or clients from these attacks.

How to prevent attacks – or at least minimize damage

A recent study by SailPoint on security practices within organizations takes the stand that organizations should assume that data breaches are now a matter of “when” rather than “if.” That is, a wise organization should focus not only on preventing data breaches, but also on recovering successfully from them when they inevitably occur.

Since many ransomware attackers gain access from successful phishing attempts, organizations still need to focus on educating their employees to identify phishing. This means continuing to teach users how to identify suspicious emails and share them with their IT teams so those IT teams can keep track of possible attacks.

Phishing is a specific type of social engineering attack in which confidential information is acquired by fraudulent methods. These attacks often attempt to acquire user names, passwords, or other information useful to hackers. In the case of ransomware attacks, hackers are generally attempting to get information that will allow them access to an organization’s systems.

Potential phishing attempts can be identified by educated users. For instance, they often make use of link shorteners or embedded links in an effort to create links that appear legitimate. Then after these links are clicked, they take victims to websites specifically created for fraudulent purposes.

Phishing attempts also frequently use threats to create a sense of urgency and fear so victims will hurry and not think carefully about the potential effects of their actions. Emails that threaten to cancel accounts immediately, etc., should be considered highly suspicious.

Some of the other measures suggested by the Department of Homeland Security include:

• Employing a data backup and recovery plan for all critical information.
• Using application whitelisting to help prevent malicious software and unapproved programs from running.
• Keeping operating systems and software up-to-date with the most recent patches.
• Maintaining up-to-date anti-virus software.
• Restricting user permissions to install and run software applications.
• Instructing users not to follow unsolicited web links in emails.
• Avoiding enabling macros from email attachments.

In the case of MedStar’s ransomware attack, data backups were a key part of their solution. The organization reported that they were able shut down their systems, isolating the damage, and later restore their data from backups without having to resort to paying a ransom.

Future security requirements and guidelines

It is possible that HIPAA requirements will be changed in the future in response to ransomware attacks. According to Bloomberg BNA, Rep. Ted Lieu (D-Calif.) is considering legislation “that would require hospitals and other health-care organizations to notify their patients when they’ve been the victim of a ransomware attack.” This would involve updating HIPAA’s current requirements regarding breach notification.

The FBI also offered guidance regarding the risks of ransomware in its podcast from May 25, 2016, “Ransomware on the Rise.”

Additional Links:

United States Computer Emergency Readiness Team, Alert TA16-091A: Ransomware and Recent Variants

Bloomberg BNA, Ted Lieu mulls ransomware attack requirements

Not sure if you should be concerned about HIPAA regulations? It’s time to start thinking about it if you haven’t already: on March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

How does this affect your business? Well, if you’re a covered entity or a covered entity’s business associate you could, of course, be selected for auditing. But even if you don’t draw the short straw when it comes to being audited, you can still face liability costs if you’re found to be out of compliance. According to an April Bloomberg BNA article, New York-Presbyterian Hospital reached a $2.2 million settlement with the OCR after the agency alleged that the facility had violated HIPAA when they allowed filming of patients without those patients’ consent.

While hospitals are a fairly obvious example of covered entities, you should be aware that hospice care providers, palliative care providers, and respite care providers are also considered covered entities under HIPAA. This means that if one of your company’s clients provides any of these kinds of care, you may be considered a business associate under HIPAA.

• Hospice care – involves terminally ill patients. This type of care is designed to support people in the final phases of a terminal illness and focuses on quality of life and comfort instead attempting to cure the illness.
• Palliative care – involves chronically ill patients, although not necessarily terminally ill ones. This type of care is designed to provide relief from the symptoms and stress of a serious illness.
• Respite care – involves planned or emergency care for a patient in order to provide temporary relief to caregivers (usually family members).

Generally speaking, a business associate is any individual or organization that creates, receives, transmits, stores, or otherwise maintains Protected Health Information (PHI) on behalf of a covered entity for a function regulated under HIPAA. Further, the obligation to comply with HIPAA applies to business associates even if they have no formal agreement with the covered entity stating that they are considered business associates.

If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. Please contact us to register if you’d like to attend.

Additional information on HIPAA:

• For a basic introduction to what the Health Insurance Portability and Accountability Act is, you can check out our previous blog post “What Does HIPAA Mean?”
• To learn more about what your IT team will face when dealing with HIPAA compliance, take a look at our blog post “What Does Your IT Team Need to Know about HIPAA Compliance?”

With data breaches on the rise for companies around the world, the goal of reliable cyber security remains a challenge. In just the past month, Verizon Enterprise Solutions faced an attack that reportedly compromised the basic contact information of 1.5 million customers, potentially exposing those users to additional risk from phishing attacks. Hospitals also struggled with ransomware attacks, including MedStar Health in Maryland and Washington, D.C., Methodist Hospital in Kentucky, and two California hospitals operated by Prime Healthcare, Inc. Several of these hospitals were forced to temporarily shut down their systems in order to keep malware from spreading. Disturbingly, at least one such hospital has admitted to paying a ransom to have its data unlocked.

Why Users Don’t Follow Security Requirements

Driven by the constantly increasing need to improve security, IT professionals often advise their clients to follow requirements that are seen as cumbersome. As a result, many otherwise well-intentioned users do not comply with these requirements. Even worse, some users are actually willing to sell password information for surprisingly low prices. In a study performed by SailPoint Technologies this year in which 1,000 office workers in various industries and from multiple countries were interviewed, an appalling number admitted to poor password practices such as:

• Using a single password among several applications. (65%)
• Sharing their passwords with co-workers. (30%)
• Willingness to sell their passwords to outsiders for as little as $1,000. (20%)

Surprisingly, SailPoint’s study showed that even though employees expect other companies to make protecting their personal data a priority, they fail to do the same for their own clients. The study showed that 32% of the respondents had been impacted by security breaches at other companies. But in spite of this, many still continue to engage in poor security practices.

The Multi-Factor Authentication Solution

So if the worst users are actively dishonest and the best are still too likely to engage in risky security practices, what is the solution to the password problem?

One possible approach already in use by some companies is multi-factor authentication. With this approach a password is still used, but is combined with additional factors. For example, a company might not complete your online request to change your password until you provide a code they have sent to a phone number you previously designated. In another example, a user signing on to a company laptop might also be required to have their fingerprint or voiced scanned. Here, employees are effectively discouraged from using unwise security practices – you can share a password, but it’s prohibitively difficult to share fingerprints. And hackers who may have acquired a password are much more likely to be blocked by the additional requirement.

Some biometric technologies to facilitate multi-factor authentication already exist and more are on the way. Most of us are familiar with the use of fingerprints and voice recognition. Along with these, additional technologies include keystroke recognition, which focuses on the unique typing rhythms of users; palm vein recognition, which identifies unique vein patterns in palms and/or fingers; and heartbeat recognition, which relies on the unique electrocardiographic signals produced by an individual’s heart; and many more.

Not all of these technologies are sufficiently mature to provide reliable and cost-effective security at present. However, technology changes rapidly. What was expensive yesterday may well be affordable tomorrow. (For an example, see DIY Is Shaping Our Future – design student creates his own braces using 3D printing.)

Biometrics alone or multi-factor authentication are likely to be used in the future to meet security needs. In July, 2015, the Bloomberg BNA Privacy & Security Law Report published a report titled “Should the FTC Kill the Password? The Case for Better Authentication.” In this report, the authors argue that “…in certain circumstances the FTC should start requiring better methods of authentication than passwords alone.” Companies interested in preparing for the future will need to explore this approach.