More and more often, health care data is stolen or made inaccessible by targeted ransomware attacks. The Office for Civil Rights (OCR) published a newsletter this week that provides warnings for HIPAA covered entities and business associates. It also provides practical tips to prevent and help you survive these attacks.

OCR’s warnings should resonate with covered entities and business associates alike:

  1. You are a ransomware target. 

    “Cybercriminals … found that customizing their attacks to specific, “quality” targets led to an increase in the amount of ransom payments.  Organizations commonly targeted by this type of attack have sensitive data, high data availability requirements, low tolerance for system downtime, and the resources to pay a ransom.  Many healthcare organizations fit this profile, and have become targets.”

  2. Cybercriminals may already be lurking in your information system, waiting to attack. 

    “Prior to initiating an attack, a malicious actor usually gains unauthorized access to a victim’s information system for the purpose of performing reconnaissance to identify critical services, find sensitive data, and locate backup. After this is done, the ransomware is deployed in a manner that produces maximum effect, infecting as many devices and as much data as possible and encrypting backup files so that recovery is difficult, if not impossible.”

  3. Cybercriminals often gain access by tricking your employees and authorized system users. 

    “Information system users remain one of the weakest links in an organization’s security posture.  Social engineering, including phishing attacks, is one of the most successful techniques used by threat actors to compromise system security.”

The newsletter then offers specific and practical tips as to how taking HIPAA Security Rule compliance seriously can help you avoid and/or quickly recover from targeted ransomware attacks. Here’s a summary of five key tips that should be at the top of your organization’s ransomware-prevention list:

  1. Train employees to avoid and report phishing scams. 

    “A training program should make users aware of the potential threats they face and inform them on how to properly respond to them.  This is especially true for phishing emails that solicit login credentials.  Additionally, user training on how to report potential security incidents can greatly assist in an organization’s response process by expediting escalation and notification to proper individuals.”

  2. Review and test security incident response procedures. 

    “Quick isolation and removal of infected devices from the network and deployment of anti-malware tools can help to stop the spread of ransomware and to reduce the harmful effects of such ransomware.  Response procedures should be written with sufficient details and be disseminated to proper workforce members so that they can be implemented and executed effectively.  Further, organizations may consider testing their security incident procedures from time to time to ensure they remain effective.”

  3. Maintain recoverable, secure, and up-to-data backups of all electronic protected health information. 

    “Organizations should keep in mind that threat actors have recently been actively targeting backup systems and backup data to prevent recovery.”

  4. Regularly check and strengthen access controls. 

    “[This measure will] stop or impede an attacker’s movements and access to sensitive data; e.g., by segmenting networks to limit unauthorized access and communications.  Further, because attacks frequently seek elevated privileges (e.g., administrator access), entities may consider solutions that limit the scope of administrator access, as well as solutions requiring stronger authentication mechanisms when granting elevated privileges or access to administrator accounts.”

  5. Regularly install software updates and patches.