Making Sense of the Latest Ransomware Attacks on Healthcare

The healthcare and public health sectors are currently being warned by DHS, FBI, and HHS of imminent cybercrime with Ryuk Ransomware acting as the primary threat. The average amount of Electronic Health Record (EHR) downtime as a result of a ransomware attack is 15 days, but it can get much worse; US Health Systems is reported to have required 3 weeks to get all 400 systems back online after a September 2020 ransomware attack. There is news of similar attacks including Skylakes Medical Center and St. Lawrence Health System and Sonoma Valley Hospital. Sonoma Valley hospital is an interesting study in ransomware remediation as their website publicly declares: On October 11, Sonoma Valley Hospital experienced a security incident that affected computer systems and triggered a significant downtime event.

Currently, the hospital is maintaining operations while computer systems are being fully restored. It has maintained the ability to care for patients using its business continuity plan. In previous blogs we have covered the value of having a Business Continuity Plan that is updated to include today’s ever evolving threats.  Sonoma Valley Hospital’s use of an effective business continuity plan not only maintained patient care levels in an emergency, it also appears to align with HIPAA security rule 164.308(a)(7)(i) regulating contingency planning and business disruption. These incidents also point to assuring that HIPAA regulated healthcare sectors and businesses understand the advantages of and regulations for HIPAA compliant cloud services and assure they are part of a robust business continuity plan.

An Unfortunate Case of Disaster Opportunists

While all businesses have experienced increased stress during the pandemic, none more than healthcare and public health sectors. Add to this the 2020 mass distribution of workers, proliferation of telemedicine and online medical services and the unrelenting pressure on IT to expand and secure the network; this all represents a prescription for significant increases in the number and types of threat vectors. It is well known that cybercriminals look for periods of disaster that usually indicate business distraction and increased opportunity; 2020 fits those specifications perhaps better than any other year. What are the points to assure that can minimize the threats to your business from ransomware?

Employees and workstations

• Reeducate employees and staff about threat avoidance in remote access scenarios. Ensure you have shared a revised and signed communications policy with each remote worker that includes strong password requirements, role-based access definitions, as well as device protection and lost device rules.
• Mandate two-factor authentication that pairs a strong password with a text message, email confirmation, or a hardware/software key element.
• Assure all patching, OS updates, AV updates, etc. are certified complete before directly reconnecting to the network.
• Consider creating a corporate subnetwork for initial reattachment of COBO devices. The business may also want to consider not allowing connection of BYOD to the direct network until it can be determined the devices are 100% threat free.
• Assure firewall policies are reviewed and updated.
• Institute or upgrade endpoint monitoring. Audit-logging and SIEM are examples for Cloud Based and network-based monitoring respectively.
• Provide business-wide policy for collaboration and conferencing solutions.

Compliance and Cloud

• Assure all HIPAA compliant cloud services are encrypted at the core, protecting patient data without sacrificing performance. Data encryption at the source (before it leaves your network perimeter) including OS and hardware, in flight and at rest will provide the highest level of record/data security.
• HIPAA requirements are to have  backup and disaster recovery services for ePHI maintained in a HIPPA-compliant recovery site.
• Assure your cloud services vendor is HIPAA compliant as defined by the Department of Health and Human Services (HHS) and independently audited against the guidelines of the HSS HIPAA audit protocol. Business Associate Agreements for protection of health information (ePHI) are required and shared upon request.
• To increase the protection afforded by your HIPAA compliance efforts and address potential budget challenges, consider fully managed disaster recovery and backup solutions.

Looking for HIPAA compliant hosting? Otava can help. Our cloud, disaster recovery and colocation solutions have helped covered entities and business associates alike adhere to HIPAA regulations and keep PHI secure. Download our free white paper on HIPAA compliant hosting, check out our HIPAA compliant solutions or contact us to learn more.

Related Articles

Why disaster recovery is important to HIPAA compliance: There are many aspects of complying with HIPAA regulations, and all are equally important to avoid facing the stiff penalties that come as a result of any violations. In addition to technical and physical safeguards for your PHI, the administrative safeguards…(Keep Reading)

Achieving Compliance in a Hybrid Cloud: According to the 2019 Rightscale® State of the Cloud report, the number of enterprises with a hybrid cloud strategy (one that combines both public and private clouds) grew to 58 percent for 2019, up from 51 percent in 2018… (Keep Reading)

What Is The HIPAA Security Rule? How can you be certain that your patients’ electronic health information is adequately protected? The HIPAA Security Rule was created to help you answer that question more confidently… (Keep Reading)

What Is The HIPAA Privacy Rule? Physicians are entrusted with some of the most intimate and personal information in a patient’s lifetime—account and identity information as well as health information… (Keep Reading)