Every day, more than 5 million records are lost or stolen. That’s more than 217,000 records per hour, 3,600 records per minute and 60 records every second. Due to increasingly sophisticated hacking tactics and ransomware, it’s anticipated that the number of reported breaches will continue to rise at an accelerated rate.
In August, the list of reported Health Insurance Portability and Accountability Act (HIPAA) breaches broke a new record. More than 2,000 breaches affecting 500 or more individuals have been reported to the OCR since 2009. It took nearly five years for the wall of shame to reach 1,000 breaches affecting 500 or more individuals and reporting has since increased due in part to OCR’s ramped up enforcement efforts, which seek to hold covered entities responsible for failure to report a breach within 60 days of discovery. This evokes extreme concern.
In addition to the recent milestone, the wall of shame underwent a significant makeover in July, which now enables users to view breaches currently under investigation that were reported within the previous two years, all breaches reported more than two years ago and all breaches since 2009 for which OCR investigations have concluded. There is also a research report function that provides the total number of breaches reported to the OCR, regardless of whether they are still under investigation or when they were reported.
In light of this, it is critical that you assess your compliance with the HIPAA Privacy and Security rules and continuously educate staff on HIPAA compliance. Analyzing a security incident and determining that a breach occurred can be a complex analysis that significantly cuts into the 60-day notification window. You must understand the notification requirements to ensure that notifications are filed timely in the event of a breach. Understanding your legal obligations under HIPAA can reduce the risk of a security incident. The key is understanding your system’s vulnerabilities and what external threats may affect your security—and then educating your staff on those threats.
One of today’s biggest threats is ransomware. In its June 12, 2016, guidance on ransomware, the U.S. Department of Health and Human Services (HHS) described it as “a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.” After the data is encrypted, a ransom note typically appears, which demands payment (usually in cryptocurrency, such as Bitcoin) so the user can receive a decryption key.
Certain ransomware variants encrypt the data on the server, while others are capable of destroying or exfiltrating data outside of the affected system. Most recently, in May 2017, the wannacry ransomware made headlines when it infected computer systems globally.
Beyond the Ransom
Historically ransomware has been used by cybercriminals to extort money from unsuspecting businesses and individuals. It was very simple: The data of affected businesses or individuals was held hostage until the owner of the data paid a ransom in exchange for a decryption key to unlock the data.
Fast forward to today and the ransomware game has changed significantly. The objective is no longer just about the money. The mission is now to cause widespread disruption. In fact, the cyber criminals from the notpetya global ransomware attack that occurred on June 27, 2017, walked away with only $10,000. However, the attack caused severe damages to many businesses, with some businesses losing between $200 million and $300 million in damages resulting from the interruption.
Analyzing a security incident and determining that a breach occurred can be a complex analysis that significantly cuts into the 60-day notification window.
Because the goal of ransomware is to encrypt your files and effectively disable access to them, the first and best line of defense is to make sure you back up your data regularly. It is recommended that the backups occur at least daily. Also, the backup should be encrypted.
In addition, exercise extreme caution when opening unsolicited attachments. Ransomware is often embedded in documents included as attachments to email. Train (and then retrain) your staff to recognize a suspicious email to mitigate the chance that an unsolicited attachment will be opened.
It is also recommended that you limit the number of users who have access to your system to only those individuals who absolutely need access to perform their job functions. Doing so inherently reduces your exposure.
Finally, don’t put all your eggs in one basket. In other words, segregate your programs through the use of secure firewalls and separate servers. This can help prevent an infection from spreading across all your data, thereby shutting down your business.
These are just a few preventive measures you should take to prevent an attack. There are certainly other measures you can and should take to enhance overall compliance and prevent unauthorized access. These include implementing a written information security plan, performing external penetration testing, implementing privacy and security policies and procedures, implementing and periodically testing an incident response plan, and conducting regular and periodic training for your employees.
If you fall victim to ransomware, you should immediately notify your cyber liability carrier and legal counsel. These resources will be able to assist you in navigating the attack. With many ransomware attacks, it is necessary to engage a forensic IT firm to conduct an analysis of the affected system to determine the extent of the impact and whether the particular ransomware variant is capable of accessing or exfiltrating data, which is a critical factor in a ransomware risk analysis. Your cyber liability insurance carrier and your legal counsel can put you in touch with such a firm. To retain attorney-client privilege over the results of the forensic investigation, the forensic IT firm should be retained by your legal counsel on your behalf.
It is recommended that you not pay the ransom. Doing so only funds cybercriminals and encourages them to continue their bad acts. More importantly, paying the ransom does not guarantee you will be able to regain access to the encrypted files. Victims who pay are often provided with inadequate encryption keys that either don’t work at all or decrypt only some of the files.
Instead of paying the ransom, restore affected files from reliable backups. Your IT manager or vendor should be able to assist with restoration. It is certainly mitigating if you can conclusively prove that all affected data has been restored to the state that it was in immediately prior to the ransomware infection.
Once the forensic investigation and restoration are final, work with your legal counsel to analyze the incident. A risk assessment under HIPAA is a very complex analysis of the facts and their interplay with HIPAA. Therefore, it’s important to work with an attorney who specializes in data privacy. Failure to work with a specialist could result in an improper determination that a breach did or did not occur, which carries with it the risk of reputational harm, potential OCR investigations, and fines and penalties. For this reason, the analysis must be properly conducted by someone with significant experience.
The unfortunate truth is that in today’s age, it is not a matter of if a breach will happen, but instead when will a breach happen. Although this mentality seems pessimistic at best, treating data privacy in this manner will enhance your compliance and mitigate risks to your system. Taking a proactive approach to compliance enables you to determine your system’s weaknesses and overcome those weaknesses with little or no repercussions, as opposed to waiting for a breach to happen to rectify any system vulnerabilities.
Cyber criminals are becoming more and more sophisticated each day, so now is the time to evaluate your system and confirm that you are situated the best you can be in the event a security incident. Don’t wait until it’s too late, or you may find yourself on the wall of shame.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC. Contact him via email at firstname.lastname@example.org.