Six HIPAA Security Rule Provisions that Help Covered Entities to Prevent Ransomware Attacks

Ransomware attacks are now more advanced. Cybercriminals are creating new approaches and strategies to access systems and deploy ransomware. The most common ways of accessing healthcare systems continue to be phishing and taking advantage of vulnerabilities, such as unpatched applications and operating systems. By locating and correcting vulnerabilities and fortifying defenses versus phishing, healthcare providers could stop all except the most sophisticated and serious attackers and retain the security and functions of their systems.

The Department of Health and Human Services’ Fall 2019 Cybersecurity Newsletter mentioned that the majority of ransomware attacks are preventable by implementing the HIPAA Security Rules. Through HIPAA compliance, healthcare providers can recover quickly in the event of a ransomware attack.

The HIPAA Security Rule has six provisions that are essential to the security, mitigation, and recovery from ransomware attacks. The provisions include:

1. Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))
Through risk analysis, healthcare companies can identify threats to ePHI integrity, confidentiality, and availability and minimize those threats. Attackers often introduce ransomware simply by taking advantage of technical vulnerabilities, for example, outdated software, unsecured, open ports, and lousy access management.

2. Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))
It is important to manage and minimize all risks identified to a low and acceptable level so that attacks will be more unlikely to succeed. Risk management entails applying anti-malware software programs, spam filters, website filters, attack detection programs, and powerful backup systems.

3. Review of Information System Activity (45 C.F.R. §164.308(a)(1)(ii)(D))
Detecting intrusions immediately is necessary whenever the defenses of a company is breached. Doing information system activity inspections can help healthcare providers discover anomalous activity and take steps before the deployment of ransomware, which might take days or weeks after initial system access. Security Information and Event Management (SIEM) solutions can help perform activity checks and automate logged activities review.

4. Security Awareness and Training (45 C.F.R. §164.308(a)(5))
Phishing attacks frequently target employees. Therefore, they should have regular security awareness training to know how to identify phishing emails and malspam as well as respond appropriately.

5. Security Incident Procedures (45 C.F.R. §164.308(a)(6))
Quickly responding to a ransomware attack can considerably restrict the damage. Written policies and procedures must be appropriately disseminated to all employees so that they can respond properly during an attack. Security procedures should be tested to ensure they are effective when a security breach happens.

6. Contingency Plan (45 C.F.R. §164.308(a)(7))
In the event of a ransomware attack, a contingency plan ensures continuity of vital services and retrieval of ePHI. All ePHI should have tested backups to ensure they can be recovered. Threat actors are targeting backups systems so that covered entities would be compelled to pay the ransom to retrieve the data. So, covered entities must store one copy of backup data on a non-networked device or system.