By: Gary Salman, Guest Contributor
Ransomware attacks are impacting the healthcare community’s HIPAA security at a staggering rate. If a practice has data stolen from their network and they did not report the breach to The Office of Civil Rights (OCR), they could be subject to massive fines for the lack of reporting. Specific steps must be followed to determine if ePHI (electronic protected health information) was compromised. This often involves hiring a forensics company and working with a Cybersecurity company to harden the practice’s infrastructure. When you are the victim of an attack once, you will mostly likely be a victim again because of vulnerabilities in your network that enabled the attack vector (or payload) to infiltrate your system. You cannot simply restore your data and hope for the best.
Many practices are unaware if their IT vendor, imaging company, billing company and/or software vendor are following the HIPAA laws related to compliance and Cybersecurity. As a Business Associate, they are often required to follow the same laws as the covered entity (doctor). If your IT company has a breach or ransomware attack and it spreads from their network to yours, your records have now been compromised.
To help guard against these sophisticated attacks, you need to take the following steps:
HIPAA Security – Cybersecurity Audit
A Cybersecurity company will work closely with the practice and its IT company to understand the landscape of the practice’s IT footprint. The Cybersecurity company will want to know how data is stored, what protocols are in place to protect the data and how it is accessed. They will also ask if there are remote team members, if they contract with a billing company that “logs in” to their network, if doctors leave the office with devices that store ePHI, if ePHI is transmitted and stored using encryption technologies to protect the data, etc. Many healthcare organizations rely solely on their IT company to protect their network. It is important to understand that IT companies are not Cybersecurity companies. You need the expertise and knowledge of a specialist in Cybersecurity to help ensure the security of your network.
HIPAA Security – Cybersecurity Awareness Training
As part of the HIPAA Security Rule, covered entities (i.e., your practice) are required to undergo Cybersecurity awareness training to help mitigate the risks of human error and minimize the chances of being exposed to an attack. Recent data indicates that there is a 50% to 75% reduction in cyberattacks when the staff is properly trained.
The most vulnerable components of a network are the people using it. Social engineering, often referred to as “hacking the human,” is the most prominent threat impacting practices and is often the least discussed. Most ransomware attacks are initiated via spear phishing, which is designed to fool an email recipient into opening an email that appears to be coming from someone they know or trust. An email may be sent to the staff asking them to open an attachment or click on a link to update or download something. Once they initiate the action, an executable file may run, which is a ransomware attack. The ransomware typically encrypts the current computer and will then search for other machines. Once it finds the server, the ransomware will encrypt most of, or all, of the files on the server. These files become inaccessible to anyone, unless they pay the ransom to the hackers to decrypt the data. This is typically done using a cryptocurrency such as Bitcoin or Monero. Most often, the files are not returned and, if they are returned, a timebomb attack may be set up to impact the files again. This should be reported to law enforcement.
For a breach to occur, a network typically has vulnerabilities (i.e., unpatched operating systems, outdated equipment, weak passwords, open ports on computers or firewalls, unsecure network protocols, improperly configured firewalls, etc.). Cybersecurity firms deploy very sophisticated tools to search for “open doors and windows” on your network that hackers use to exploit. This data is turned over to the practice’s IT company for remediation purposes so that the IT company can effectively lock the “doors and windows.” Cybersecurity companies invest heavily in best-in-class vulnerability scanning technologies that can detect thousands of vulnerabilities on a network. Testing should be performed quarterly or whenever network devices are upgraded, modified, or added.
Penetration testing, utilizing an ethical hacker, is performed using the same tools, techniques, and protocols that a cyber-criminal uses to try and “break into” your network. Unlike a vulnerability scan, an ethical hacker is able to problem-solve during the testing. A vulnerability scan will get to a locked “window” and not know how to progress. A hacker will see that the “door” is locked but may run a certain script to open the door. Ethical hackers use their experience to exploit networks in a way an automated tool simply cannot. After the ethical hacker has completed their testing, they turn their findings over to your IT company so they can mitigate the risks.
Gary Salman Chief Executive Officer, Black Talon Security, Katonah, New York; 27 years in IT and software development