Reprinted from HEALTH PLAN WEEK, the most reliable source of
objective business, financial and regulatory news of the health insurance
industry.
By Judy
Packer Tursman, Senior Reporter
May 22, 2017 Volume 27 Issue 18
The massive ransomware cyberattack that began by crippling British
hospitals and striking targets in dozens of countries, including the U.S., on
May 12 remains a threat to health care organizations, among numerous entities,
authorities from HHS and other federal agencies warn.
HHS, in its fourth and latest alert since May 13 — sent under the
heading, “International Cyber Threat to Healthcare Organizations — reiterated
May 17 that an organization victimized by a ransomware attack should report the
event to its FBI Field Office Cyber Task Force, among other federal entities,
and request assistance. HHS also referred organizations to recent guidance
issued by its Office of Civil Rights specific to the so-called WannaCry
ransomware. From a compliance standpoint, OCR says it presumes a breach in the
case of ransomware attack, explains reporting requirements, and stresses that
following the HIPAA Security Rule helps entities prepare for such attacks.
OCR cites a U.S. interagency report showing 4,000 daily ransomware
attacks since early 2016, up from 1,000 daily ransomware attacks reported in
2015. (In April 2016, the FBI noted that ransomware incidents were not only
increasing, but also becoming more sophisticated.)
The recent cyberattack stands out because its scale is notable,
broader than most ransomware incidents seen recently, and it was built from
leaked National Security Agency (NSA) tools, says Ed Zacharias, a partner in
McDermott Will & Emery LLP’s health care practice group in Boston. But he
says the WannaCry ransomware entered systems, and began locking down files and
encrypting them, in a typical way: through email “phishing” or “spear
phishing.”
Patch Management Is ‘Critical’
“How the ransomware was deployed in this circumstance wasn’t
unique,” Zacharias says. Unlike incidents in which hackers try to steal and
sell data, in ransomware cases the hackers don’t care whether they can access
data, he says. Instead, hackers lock data and a text file says to pay “ransom,”
typically not much, in Bitcoin to retrieve it. As of May 17, the aggressive
WannaCry ransomware had infected more than 200,000 computers and collected
$80,000-plus, according to @actual_ransom — a twitter bot set up to track the
ransomware, The Merkle website reported.
In the latest incident, hackers are gaining access to servers by
exploiting a Windows vulnerability. On March 14, Microsoft released a security
update for the vulnerability; it released patches for some operating systems on
May 13, the day following the attack.
“These types of attack are not going to stop, so patch management
is critical for anybody, for any business,” Zacharias says. “This is critical
for payers: being able to take your systems down and go through the patching
process in a short period of time.”
In the case of the WannaCry ransomware attack, it began on a
Friday and action had to be taken over the weekend before Monday when employees
returning to work might click on infected emails. On Saturday, the day after
the attack, Zacharias’s firm sent out an alert to clients.
“The trend has clearly been health care organizations are targeted
by hackers now,” Zacharias says. “The perception is they’re vulnerable.”
Zacharias says he has heard of a couple of U.S. health care
entities — not payers — that may have been affected by the recent global
ransomware attack. So far the U.S. has fared pretty well, though the
cyberattack has been “a little disruptive for businesses not doing adequate
patching,” he said May 17.
(HHS’s Office of the National Coordinator for Health information
Technology (ONC) referred AIS Health’s questions on whether any U.S. health
care entities have been compromised by the WannaCry cyberattack to HHS’s Office
of the Assistant Secretary for Preparedness and Response. That office declined
to answer questions on the matter, referring AIS Health to the Dept. of
Homeland Security (DHS), which failed to respond to queries by press time.)
No Single Tool Offers Panacea
If ransomware infects businesses, it can cause temporary or
permanent loss of proprietary information, disrupt regular operations and
require financial outlays to restore systems or files, the federal government
warns.
Indeed, a year ago the Ponemon Institute reported that nearly 90%
of health care organizations participating in its annual benchmark study of
health care data security had a data breach— and nearly half had more than five
breaches — in the two previous years. Each breach likely cost HIPAA-covered
entities more than $2.2 million on average, the institute estimated. Ransomware,
malware and denial-of-service attacks, which overwhelm system resources, were
the top threats.
Zacharias echoes what the FBI began saying a year ago as
ransomware attacks started to proliferate: No single method or tool will
completely protect an organization from such attacks. In cases that cannot be
prevented, “the best position a plan can be in is to have conducted regular
backups so they can restore any affected systems and preserve integrity on
those systems,” he says.
Since it’s difficult to detect a ransomware compromise before it’s
too late, the FBI recommends focusing on training employees, putting technical
controls in place and creating a business continuity plan in case of attack.
Zacharias offers the following suggestions to payers and other
health care entities:
·
Know your patching
strategy. “Payers should be talking to their chief information security officer
about what their patch management strategy is,” and to understand when patching
should occur and how it must flow with overall information technology (IT)
strategy, he says. “Patch management as an effective safeguard is critical on
the front end to hopefully avoid attack.”
·
Train employees. “I
think from a preventive perspective, the take-home message, like a lot of
things in data security in the health care world, is about training, and
telling employees who to report suspicious information to,” and not simply to
delete the email because there likely were multiple recipients, he says. “So,
proactively, just educate people about what to be on the lookout for.”
·
Expend sufficient
resources. He points to the technical component of preparedness, noting the
health care industry, while lagging behind banking and other industries, is
starting to dedicate more money to systems security, adding technology and
staffing to monitor systems.
·
Keep documentation.
Payers should have documented policies and procedures on how they back up
systems and how they do patch management and virus updates, he says. “And
people should be trained on them [i.e., policies and procedures] and they
should be followed.”
·
Watch downstream
vendors. “If a downstream vendor is infected and you’re on their email list,
it’s a problem,” Zacharias says. “I don’t think that’s avoidable. When you’re
doing due diligence on your vendors, you want to get some reasonable assurances
they’re protecting information and have reasonable ways to protect your
information,” he says.
·
Prepare for rapid
recovery. The key to recovering after a cyberattack is being able to identify
the incident by updating patches and antivirus software, and having audit log
monitoring capable of searching for unusual activity, he says. “Regularly
backing up your systems, especially your critical systems, is key,” he says.
“When these [cyberattacks] happen, you need to disconnect servers and have
redundancy” that allows computers to get back on line soon with recent backups.
HHS: Beware of ‘Malicious Actors’
On May 13, the day after the WannaCry attack began, HHS also
stressed the importance of seeking legitimate help, warning about potentially
malicious conduct toward health care entities.
“We would like to flag for the community that a partner noted an
exploitative social engineering activity whereby an individual called a
hospital claiming to be from Microsoft and offering support if given access to
their servers. It is likely that malicious actors will try and take advantage
of the current situation in similar ways,” HHS said. “Additionally, we received
anecdotal notices of medical device ransomware infection.” FDA was to hold a
seminar on cybersecurity for medical devices May 18-19 in the Washington, D.C.,
area.
Find OCR guidance at http://tinyurl.com/lc8ouze.
https://aishealth.com/archive/nhpw052217-01?utm_source=Real%20Magnet&utm_medium=email&utm_campaign=116736681
No comments:
Post a Comment