A recent global ransomware attack has impacted nearly 150 countries. The healthcare industry was not immune to this attack, as at least 16 hospitals in England were affected. The attack locked doctors out of patient files, potentially endangering lives. In response to this and other recent ransomware attacks, the U.S. Department of Health and Human Services ("HHS"), Office of the Assistant Secretary for Preparedness & Response ("ASPR") issued an update specifically addressing the threat of ransomware attacks to healthcare organizations. In the update, the HHS ASPR provides a link to a previous ASPR "TRACIE" newsletter focused on cybersecurity and cyber hygiene. Below are some brief tips from those ASPR materials and some additional resources for those entities that operate in the healthcare field.
How can I protect myself?
The most common delivery mechanism for a ransomware attack is through a malicious file attached either through a link or attachment. The file may contain hidden extensions that contain executable files or lead you to a malicious website. The best defense for this method is to train your employees about the threat. Tell them to only open emails they are expecting and are from people they know. If you receive an attachment or a link from a friend or colleague that you were not expecting, take a minute and call to verify that they sent it before you open it. Malicious actors are counting on you acting quickly without thinking, so try and slow down before opening something if you are not 100% certain of the source.
The recent virus was addressed by a Windows security patch weeks before the current attack. Affected systems had not been updated to handle this attack, which was preventable. Keeping your systems up-to-date and patched properly can prevent a nightmare scenario.
What do I do if I am a victim of a ransomware attack?
If you are a victim, HHS recommends that you contact your local FBI field office immediately to report the attack and request assistance. HHS further recommends that your organization report the incident to the US-CERT and FBI Internet Crime Complaint Center.
A further concern for a healthcare organization that is subject to HIPAA is breach reporting. A ransomware attack on a healthcare organization is considered a reportable breach, unless the organization can prove the data was encrypted or otherwise unreadable. If the organization cannot show this, then the breach must be reported within 60 days of discovering the attack. Failure to adhere to this timeline has resulted in major fines to an organization under HIPAA. Therefore, a breach response cannot be forgotten in the chaos and must be handled within the required timeframe.