Dept. of Health and Human Services Issues Ransomware Warning

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR issued a reminder to HIPAA covered healthcare organizations that breach reports– and patient notifications – are an obligation if data have been compromised that have not been encrypted by the body to NIST specifications.

Should a breach occur, covered organizations were told to contact their local FBI office, file details of the incident to the FBI’s Internet Crime Complaint Center and make the incident known to US-CERT. OCR also stressed that reporting ransomware attacks to other federal bodies or law enforcement agencies does not constitute a HIPAA-compliant breach report. OCR must be officially advised of the incident separately.

Threat intelligence sharing can help prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat accounts. However, the HIPAA Privacy Rule does not allow the sharing of PHI in any form. When accounts of a cyber threat are shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered organizations must ensure that PHI is not shared. Doing so would be a HIPAA violation and could lead to action being taken against the HIPAA-covered entity in question.

OCR also reminded organizations that adhering with the HIPAA Security Rule helps covered entities ready themselves for ransomware/cyber attacks and respond properly if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be viewed in an OCR fact sheet downloadable from this link.

Healthcare groups were also reminded that they can ask for an unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) supplies an objective third-party perspective on a covered entity’s cybersecurity posture and can carry out a broad assessment scanning for known weaknesses at no cost to stakeholders. The service allows healthcare groups to be proactive and put measures in place to minimize risk prior to exploitation by malicious individuals.  Requests can be submitted by contacting NCATS on [email protected]

Author: Maria Perez