What lessons can we learn from the likes of the recent “WannaCry” ransomware attack?
Today’s increasingly digitized healthcare industry is that much more vulnerable as targets for individuals carrying out cyberattacks, such as the recent “WannaCry” ransomware attack. This is because there are large volumes of sensitive data and information that is needed for daily operations or for executing transactions that are critical for healthcare organizations to operate and function. Additionally, from experience, perpetrators know that some healthcare organizations tend to quickly pay ransom demands in order to restore access to their mission critical operations, systems, and access to patient information. Operating with shrinking margins, the downtime cost and disruption for them far exceed the ransom demands.
In the US, the Health Insurance Portability and Accountability Act (HIPAA), especially with changes that went into effect in 2016, is now enforcing penalties and fines are now making healthcare organizations be even more vigilant to prevent cyberattacks and be compliant to established required standards. The “WannaCry” attack would be considered a breach of HIPAA rules for a US healthcare facility. The Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) in 2016 released a fact sheet on Ransomware and HIPAA, which addresses prevention and recovery from ransomware attacks from the healthcare sector perspective. It details HIPAA’s role in assisting covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. It should be recognized that with the new HIPAA rules in effect, covered entities are culpable and liable for data breaches that might result from one of their contracted vendor/business associates. Having complete oversight of vendors and business associates with regards to HIPAA compliance and their IT security practices for protecting PHI is now a must.
So, what lessons can the healthcare sector learn from this latest attack and how can organizations protect themselves and prevent breaches of HIPAA rules?
- Invest in system upgrades – perhaps the most important lesson from this recent attack is the importance of upgrading operating systems. This is a massive and expensive undertaking especially for some healthcare organizations such as large integrated delivery networks (IDNs) and may, therefore, get relegated to the bottom of the pile of a list of competing priorities for scarce resources. However, it is important to upgrade as outdated systems are not supported by Microsoft (unless at a cost), and as such do not get upgraded and are thus vulnerable to attacks.
- Ensure software on all servers are up to date with the latest security patches – the best way to achieve this is by enabling automatic updates. Supported operating systems would have been updated and fixed by Microsoft updates in March and would have been protected from this cyberattack. If automatic updates are not turned on it is imperative that updates, including patches, be applied as soon as they are made available.
- Invest in robust software protection – ensure that firewalls and endpoint security protection are top-rated, robust and up to date.
- Ensure there is a secure backup – always ensure that all information is securely backed up daily. It is advisable to make the backup offsite and preferably cloud based as WannaCry would still have infected a hard drive if it was not removed from the server. Cloud storage also removes the need for someone to install and remove the hard drive from the server each day.
- Develop and implement security risk mitigation policies – ensure that there are policies in place to address security risks and mitigation of such risks; provide a blueprint on how to identify risks, what to do once a risk is identified and how to prevent a breach of your system. This should also include a communication strategy for informing staff of system breaches.
- Training – while at the bottom of the list, training is one of the most important means of preventing security breaches. Staff need to be fully trained on the organization’s security risk mitigation policy and be proactive in identifying and mitigating risks. Staff are basically the first line of defense that an organization has against cyberattacks as they are the ones who receive the emails and unknowingly open attachments and click on links to malicious sites, leaving the system vulnerable to attacks.
Ransomware attacks are becoming more prevalent and the healthcare sector is a prime target due to the nature of the information it has and the fact that some healthcare organizations are still operating on old, outdated systems which are vulnerable to attacks. A lack of access to healthcare information can result in life-and-death consequences. These factors may lead cyber criminals to view the healthcare sector as great targets for the likelihood of paying a ransom to retrieve data, and therefore good targets for attacks. HIPPA rules place the responsibility on covered entities and business associates to ensure that patient information is protected so it is incumbent upon healthcare organizations to ensure systems are in place to safeguard from cyberattacks.
Learn from the WannaCry attacks; don’t be counted among the next victims of a cyberattack! Attacks are increasing in frequency, scale, and sophistication. It is easy to fall prey and become the next victim. Institute the needed safeguards today.