May 19, 2017
Last Friday, cyber criminals launched a global ransomware attack against businesses and government agencies in 150 countries. Experts believe the virus, dubbed the “WannaCry” virus, compromised its victims’ networks by exploiting a critical vulnerability in Microsoft’s Windows software. In March, Microsoft released a security update to address this loophole, but many of today’s victims failed to implement the patch or were using an older operations platform that no longer receives security updates. This latest round of ransomware attacks highlights a disturbing trend that will undoubtedly continue throughout 2017 and beyond.
Healthcare providers and other businesses need to remain vigilant and implement proven strategies for preventing network intrusions and staying ahead of the ransomware avalanche. Here are some practical strategic tips:
- Understand the Risks: Everyone in a health care operation – from the top executives down to each employee who touches a keyboard – needs to understand the cyberattack risks and their responsibility for protecting the computer network.
- Establish a Robust Security Program: Health care entities must identify their “crown jewels” – PHI and other mission-critical data – to ensure they are adequately protected by safeguards like encryption protocols, back-up systems, and password protection. Drawing on proven resources, providers should develop a Written Information Security Program (WISP) that documents the organization’s cyber security risk management plan. A robust WISP maps out the who, what, when, where, and why of preventing and responding to data security threats. The plan should also account for internal security measures, to ensure that only employees with a “need to know” have access to critical information and databases.
- Train Your Team & Create a Cybersecurity Culture: Security measures, contingency plans, and other strategies are only as good as the people who stand behind them. Every employee who touches a keyboard is either an asset or a threat when it comes to network security. Training and establishing an effective cybersecurity culture helps plant all rank and file employees on the right side of that equation. Each employee must understand the constant threat and the fact that security is each individual’s responsibility – including rigorously following a “think before you click” mentality.
- Update Your Operating Systems: The WannaCry virus illustrates the critical importance of staying up to date on security updates and patches for healthcare providers’ networks. For many of this most recent attack’s victims, their vulnerability could have been reduced had they updated systems with the recommended security patches. If your organization is using an older operating system, consider updating systems and in all events, providers should have policies to routinely and systematically implement security patches and updates.
- Maintain Gold Standard Backup Systems: In the event of a successful ransomware attack, a provider’s most important data could be encrypted for eternity. A robust backup system to promptly restore compromised data and network systems is a critical safeguard. For ransomware attacks in particular, a secure, HIPAA-compliant backup system may be the most cost-effective protection against months of lost information and an operational halt.
- Implement an Operations Contingency Plan: If a hacker makes it into a network, an immediate, coordinated response is crucial. Seconds matter. Having the proper procedures in place and making sure the team knows what to do can be the difference between successful countermeasures and becoming the next data breach headline. An effective plan must cover the waterfront on neutralizing the threat, continuing operations, restoring compromised data, and engaging other emergency measures.
- Partner with Experts & Test Your System: Preparing for attacks and making sure an organization remains on the cutting edge is an ongoing process. Having a multidisciplinary team of experienced experts on a provider’s side is critical for that effort, both before and after cybersecurity attacks. A team of legal and IT experts can help identify and implement the right prevention and response measures. Once a response strategy is in place, health care providers should execute regular, systematic risk assessments to test established measures and identify vulnerabilities.
- Vendor Relations: Healthcare organizations should consider and assess potential risks created by vendors with access to PHI. Where feasible, vendor access to PHI should be minimized.
- Evaluate Insurance Coverage: Consider the potential expenses a data breach may entail – IT costs, lost operations, monetary penalties, litigation costs, legal counsel, PR management fees, and others. These potential costs and the growing cybersecurity threat strongly weigh in favor of robust cyber liability insurance coverage. Providers should carefully evaluate their coverage, making sure it is appropriate and fits within their overall security plans.
- Preserve Evidence & Carefully Document Response Steps: After a suspected breach, preserving evidence and meticulously documenting the response process is critical. From the outset, each member of the response team needs to understand the importance of maintaining network evidence for forensic evaluation. Preserving evidence of the attack will later prove critical for assessing whether and to what extent an attacker actually removed PHI from the network. That information is necessary for determining what was actually exposed and determining whether a HIPAA breach occurred.
Overall, the WannaCry virus emphasizes the importance of implementing affirmative strategies to avoid a cyber disaster. By implementing proactive measures before an attack, providers can significantly limit their exposure and prepare for a timely response in the event a breach occurs. With an understanding of the risks and proper investment in preparation, health care entities can focus on taking care of business while knowing their critical information is well-protected from ransomware attacks and other vulnerabilities.
If you have questions or need assistance regarding these strategies or other cyber security and privacy issues, please contact HDJN’s Cybersecurity team.
The information contained in this advisory is for general educational purposes only. It is presented with the understanding that neither the author nor Hancock, Daniel, Johnson & Nagle, PC, is offering any legal or other professional services. Since the law in many areas is complex and can change rapidly, this information may not apply to a given factual situation and can become outdated. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. Under no circumstances will the author or Hancock, Daniel, Johnson & Nagle, PC be liable for any direct, indirect, or consequential damages resulting from the use of this material.