This week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations.
Cyber extortion can take many forms. The OCR newsletter highlights ransomware and Denial of Service (DoS) attacks in particular. Ransomware involves the denial of access to a user’s data –typically, a hacker encrypts an organization’s data with a key known only to the hacker, and the hacker will demand payment from the organization in order to provide the decryption key. Ransomware may also involve the deployment of malware that destroys data. A U.S. government interagency report indicates that there have been approximately 4,000 daily ransomware attacks since early 2016. In response, OCR published a factsheet to provide guidance on preventing and responding to ransomware attackers for HIPAA covered entities and business associates. The factsheet urges covered entities and business associates to maintain frequent backups and ensure the ability to recover data from backups.
DoS and Distributed Denial of Service (DDoS) are other forms of cyber extortion highlighted in the OCR newsletter. These typically direct an abnormally high volume of network traffic to targeted computers so that the affected computers appear down or otherwise inaccessible. Attackers either initiate an attack and demand payment to halt the attack, or they may threaten the attack and demand payment to stop it from happening in the first place. OCR also highlighted DoS and DDoS attacks in a prior security newsletter, which includes tips on identifying and stopping an attack.
Cyber attackers constantly create new versions of malware and organizations must be vigilant to protect their data from attack. The HHS website includes a number of guidance materials for HIPAA professionals including standards, checklists, and awareness newsletters to assist with the vigilance required to protect sensitive data from attackers.
As noted in the newsletter, OCR also published a checklist to assist HIPAA covered entities and their business associates on proper response to a cyber-attack. The checklist suggests four actions to take in the event of a cyber-attack:
- execute response and mitigation procedures and contingency plans;
- report the crime to law enforcement agencies;
- report all cyber threat indicators to federal and information-sharing and analysis organizations; and
- report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals (in accordance with HIPAA).
Additionally, OCR recommends that organizations take the following steps to reduce the chances of cyber extortion victimization:
- Implement a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
- Implement robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
- Train employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
- Deploy proactive anti-malware solutions to identify and prevent malicious software intrusions;
- Patch systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
- Harden internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
- Implement and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
- Encrypt and back up sensitive data;
- Implement robust audit logs and reviewing such logs regularly for suspicious activity; and
- Remain vigilant for new and emerging cyber threats and vulnerabilities.