Can you have a Ransomware attack if you are HIPAA-compliant?

Image on Ransomware Attack even if you are HIPAA CompliantThe short answer: Yes

 

The in-depth answer: The Health Insurance Portability and Accountability Act (HIPAA) sets the minimum standards for protecting sensitive patient health information (PHI). The Department of Health and Human Services (HHS) regulates HIPAA compliance, while the Office for Civil Rights (OCRenforces it. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis. However, a HIPAA-compliant organization can still be a target for a ransomware attack. Despite having advanced cybersecurity measures in place to comply with HIPAA, no organization is fully impervious to all cyber threats.

Ransomware Attacks in a HIPAA-compliant Organization

 

HIPAA regulations mandate that healthcare providers protect the privacy and security of patient’s health information. This involves implementing safeguards such as access controls, audit controls, integrity controls, and transmission security. However, these measures primarily focus on ensuring data privacy and security, and although they can help reduce the risk of ransomware attacks, they do not eliminate it completely.

 

Ransomware is malicious software that encrypts the victim’s data. Hackers demands a ransom to restore access to the data once they are paid. They also have the ability to modify the data and sell it, even if they are paid the ransom amount. This leads to serious complications in the Healthcare Industry since their data is targeted due to its critical importance for its high value. Even with HIPAA-compliant measures in place, organizations can fall victim to ransomware attacks via various methods:

  1. Not implementing addressable safeguards:

    Organizations tend to overlook implementing addressable safeguards outlined in the HIPAA Security Rule. These safeguards focus on Authorization / Supervision, Workforce Clearance Procedures, Termination Procedures, Access Authorization, Security Reminders, Log-in Monitoring, Password Management, Protection from Malicious Software, Testing Contingency Plans, etc. Due to this oversight, their systems have vulnerabilities that can be exploited through a targeted cyber attack.

  2. Phishing attacks:

    One of the most common ways attackers can breach security defenses is through phishing emails. These emails trick employees into clicking on malicious links or attachments that install ransomware on the network.

  3. Insufficient Backup and Recovery Systems:

    HIPAA requires that covered entities have backup and disaster recovery measures in place. However, if these measures are not adequately and continuously maintained, tested, and updated, ransomware can infect not only the primary data systems but also backup systems, making data recovery impossible without paying the ransom.

  4. Incomplete or Inadequate Implementation of HIPAA Standards:

    Compliance doesn’t always mean complete protection. Organizations may meet the letter of the law without effectively securing all possible points of vulnerability. For instance, they might overlook the security of medical devices, partner networks, or other systems that connect to their main network.

  5. Exploiting software vulnerabilities:

    Cybercriminals often exploit known vulnerabilities in software applications that are not patched or updated regularly. Through these vulnerabilities, they gain unauthorized access and deploy ransomware.

  6. Insider threats:

    Employees, vendors, or other insiders with malicious intent or those who are simply careless may inadvertently expose the organization to ransomware attacks deliberately.

  7. Brute force attacks:

    In this method, attackers try numerous combinations to guess passwords and gain access to systems or networks. Once they are in, they install ransomware and infiltrate the entire network.

  8. Advanced Persistent Threats (APTs):

    These are long-term targeted attacks where cybercriminals infiltrate networks to mine data or disrupt services. They can plant ransomware and activate it at the most opportune moment. For example, zero-day exploits take advantage of security vulnerabilities that are unknown to the organization and the public. Such vulnerabilities are thus unpatched, making them a lucrative target for attackers.

  9. Network vulnerabilities:

    Weaknesses in network security, such as unsecured Wi-Fi networks or inadequate firewall protection, can create entry points for ransomware.

  10. Physical breaches:

    Access to physical machines (like a stolen laptop that has not been encrypted) can also lead to a breach. HIPAA requires physical safeguards, but like all security measures, they’re not 100% foolproof.

This list is not exhaustive, and HIPAA compliance can help mitigate these risks through required security measures like regular risk assessments, encryption of electronic protected health information (ePHI), maintaining updated and patched systems, and conducting regular staff training on cybersecurity best practices.

However, the cyber security challenges that organizations face are dynamic. They need a comprehensive approach to cybersecurity that goes beyond just HIPAA compliance. This might involve extensive and customized employee training to recognize phishing attempts, regular audits, and penetration tests to identify and patch vulnerabilities, the use of advanced threat detection and response systems, and robust, isolated backup systems to ensure data can be restored in the event of a ransomware attack. In addition, establishing an incident response plan can help minimize damage if an attack occurs.

Despite all these measures, it’s important to remember that no organization can be completely immune to ransomware attacks. Therefore, continuous improvement of your security posture and preparedness for potential attacks is critical.

In the event of a ransomware attack, HIPAA mandates specific steps and reporting procedures, including notifying affected individuals, the Department of Health and Human Services, and potentially the media depending on the scale of the breach. Therefore, compliance does not guarantee the prevention of attacks, but it does establish a strong foundation for preventing, detecting, and responding to such cyber threats, thereby reducing the possibility of risks in the long run.

 

How databrackets can help you create a secure IT infrastructure

Experts at databrackets have extensive experience working with Healthcare Providers, Cyber Liability Insurance Providers, Managed Service Providers (MSPs), FDA Regulated industries etc. Our services range from Security Risk Analysis, HIPAA compliance, Pen Testing & Vulnerability Scans, Implementation of Cyber Security Technology, Managed Security Services, and Security Risk Analysis for MIPS, among others.

Our team has supported organizations across a wide variety of industries to align their processes with security frameworks like HIPAA, 21 CFR Part 11, ISO 27001SOC 2, NIST SP 800-53NIST Cybersecurity FrameworkNIST SP 800-171GDPRCMMC etc.

We are constantly expanding our library of assessments and services to serve organizations across industries. Schedule a Consultation if you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements.

Related Links

Sources of Ransomware Attacks on Healthcare Systems

Protect your DICOM from Cyber Attacks

Security Tech Investments for Top 10 trends in 2023

How to Select a Security Vendor

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Aditi is a Digital Marketing and Business Development Professional at databrackets.com. She graduated with honors in Marketing from Sheridan College, Canada. In addition to her current profile, she contributes to Product Development and Content Creation. She is a strong advocate of Good Cyber Hygiene and white hat SEO techniques. She is proud of the company’s mission to safeguard organizations from cyber threats and ensure their business continuity in adverse situations. 

Technical Expert: Srini Kolathur, Director, databrackets.com

The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework,  HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.

Experts at databrackets have extensive experience working with Healthcare Providers, Cyber Liability Insurance Providers, Managed Service Providers (MSPs), FDA Regulated industries etc. Our services range from Security Risk AnalysisHIPAA compliancePen Testing & Vulnerability Scans, Implementation of Cyber Security Technology, Managed Security Services, and Security Risk Analysis for MIPS, among others.

Our team has supported organizations across a wide variety of industries to align their processes with security frameworks like HIPAA21 CFR Part 11ISO 27001SOC 2, NIST SP 800-53NIST Cybersecurity FrameworkNIST SP 800-171GDPRCMMC etc.

We are constantly expanding our library of assessments and services to serve organizations across industries. Schedule a Consultation if you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements.

Sources of Ransomware Attacks on Healthcare Systems

Image on how ransomware enters Healthcare SystemsA cohort study published in The Journal of the American Medical Association in December of 2022 revealed that Ransomware attacks targeting Healthcare delivery organizations more than doubled from 2016 to 2021. This exposed the Personal Health Information of nearly 42 million patients. During the study period, it was observed that Ransomware attacks were more likely to target large organizations with multiple facilities.

Healthcare systems are usually targets of Ransomware attacks due to their critical importance and the high value of their data. Therefore, Healthcare providers and their vendors (including business associates and subcontractors) must maintain strong cybersecurity defenses and best practices, use advanced threat detection tools and mitigate the unrelenting risk of Ransomware attacks. While benchmarks under the Health Insurance Portability and Accountability Act (HIPAA) are mandatory, hackers have found ways to create loopholes in HIPAA-compliant systems, embed Ransomware, and trick users (usually employees of Healthcare providers and their vendors) into downloading it.

How Ransomware Enters Healthcare Systems

Ransomware, one of the most malicious software, can enter Healthcare systems in several ways. Hackers usually look for a loophole or create one through a single user’s computer and then infiltrate the network and spread it to other devices. Once Ransomware spreads, the data in the core systems are encrypted using unique keys that are known only to the hackers. Unless the hackers get compensated, the data in the core systems is unusable by the healthcare systems. This severely impacts service delivery and patient care.

There are several ways they can use to enter a healthcare provider, business associate, vendor or, subcontractor’s systems. This includes, but is not limited to:

1. Phishing Emails:

One of the most common methods for Ransomware to enter an IT infrastructure is through phishing emails. These are emails disguised as legitimate, often impersonating a trusted sender like HR, professionals working in the Billing / Finance department, Vendors, or trusted senders from other departments. The emails contain malicious links or attachments. Once an employee clicks on the link or downloads the attachment, the Ransomware can infect their computer and spread to other systems in the network.

2. Malvertising and drive-by downloads:

Malvertising involves injecting malicious code into online advertising networks. When a user clicks on an infected ad, the Ransomware is downloaded onto their system. Drive-by downloads are similar but happen on compromised websites or even legitimate ones with a security weakness.

3. Exploiting vulnerabilities in outdated software or hardware:

Attackers often exploit security vulnerabilities in software or hardware that haven’t been patched or updated regularly. These vulnerabilities can be in operating systems, applications, databases, network equipment, and medical devices. When security patches are released to fix these vulnerabilities, organizations need to update their systems promptly to protect them.

4. Social Engineering:

This involves manipulating individuals into performing actions or divulging confidential information that can be used to gain unauthorized access to systems or data. It could be a phone call or an online interaction, convincing someone to install a file with Ransomware. Common examples include Pretexting, Baiting, and Tailgating.

5. Third-party vendor attacks:

In this method, attackers compromise a trusted software vendor’s system and insert their Ransomware into software updates. When the healthcare organization installs the infected update, the Ransomware enters its system.

6. Remote Desktop Protocol (RDP) attacks:

RDP is a protocol that allows one computer to connect to another over a network. If an attacker can guess or crack the login credentials for an RDP session, they can install Ransomware on the remote system. This is especially problematic in healthcare settings where RDP is commonly used for telemedicine and remote patient monitoring.

7. Removable Media:

Ransomware can spread through infected USB drives, CDs, or other removable media.

8. Internet of Things (IoT)/Medical Devices:

As healthcare increasingly utilizes connected devices, these devices become targets. Many IoT/medical devices lack robust security, making them an attractive entry point for attackers.

This list is not exhaustive, and there is only one certainty in the field of Ransomware attacks – Hackers continue to find innovative ways to infiltrate healthcare systems. Vendors who directly and indirectly work with Healthcare providers in the US need to be HIPAA compliant. However, following the benchmarks set by HIPAA doesn’t guarantee that your systems will not be vulnerable to a targeted or ransomware attack. We have explored this at length in our blog, ‘Can a HIPAA-compliant Healthcare provider be attacked using Ransomware?’(Easwari-hyperlink to the blog)

Stay tuned for ways to Mitigate the Risk of Ransomware in Healthcare.

How databrackets can help you create a secure IT infrastructure

Experts at databrackets have extensive experience working with Healthcare Providers, Cyber Liability Insurance Providers, Managed Service Providers (MSPs), Business Associates & Subcontractors of Healthcare Providers, and Pharmaceutical and other FDA Regulated industries. Our services range from Security Risk Analysis, Pen Testing & Vulnerability Scans, Implementation of Cyber Security Technology, Managed Security Services, HIPAA compliance, and Security Risk Analysis for MIPS, among others.

Our team has supported organizations across a variety of other industries to align their processes with security frameworks like HIPAAISO 27001SOC 2, NIST SP 800-53NIST Cybersecurity FrameworkNIST SP 800-171GDPRCMMC21 CFR Part 11, etc.

We constantly expand our library of assessments and services to serve organizations across industries. If you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements, do not hesitate to Schedule a Consultation.

Related Links

Can a HIPAA compliant Healthcare provider be attacked using Ransomware

Protect your DICOM from Cyber Attacks

Security Tech Investments for Top 10 trends in 2023

How to Select a Security Vendor

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Aditi is a Digital Marketing and Business Development Professional at databrackets.com. She graduated with honors in Marketing from Sheridan College, Canada. In addition to her current profile, she contributes to Product Development and Content Creation. She is a strong advocate of Good Cyber Hygiene and white hat SEO techniques. She is proud of the company’s mission to safeguard organizations from cyber threats and ensure their business continuity in adverse situations. 

Technical Expert: Srini Kolathur, Director, databrackets.com

The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework,  HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.