Civil Rights Office Issues Ransomware Guidance

Ransomware infections are on the rise, and healthcare organizations are ripe targets, which may be why the federal government addressed the subject last week.

Ransomware attacks have risen from about 1,000 a day last year to 4,000 a day this year, Symantec has reported.

Many of those attacks are for small change, but some of the larger ones have been directed at healthcare providers. For example, Hollywood Presbyterian Medical Center earlier this year paid hackers US$17,000 to get its systems back online. Also, Medstar Health this spring coughed up $19,000 to return to normal operations.

The U.S. Health and Human Services Department’s Office for Civil Rights, which enforces compliance with the Health Insurance Portability and Accountability Act, better known as “HIPAA,” has released new guidance for healthcare organizations on ransomware, including the following advice:

  • Conduct a risk analysis to identify threats and vulnerabilities to electronic protected health information, and establish a plan to mitigate or remediate those identified risks;
  • Implement procedures to safeguard against malicious software;
  • Train authorized users on detecting malicious software and report such detections;
  • Limit access to ePHI to only those persons or software programs requiring access; and
  • Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups and testing of restorations.

Response Plan

Clarification of what to do when an organization is hit with ransomware is the “crown jewel” of the guidance, said Lee Kim, director of privacy and security technology solutions at the Healthcare Information and Management Systems Society.

“There was a lot of confusion in the field about whether or not to report a breach if there was ransomware involved,” she told TechNewsWorld.

“This OCR guidance clearly says that chances are that if you’re infected with ransomware, it’s likely a reportable breach unless there are mitigating circumstances,” Kim said. “Healthcare organizations know now that if ransomware encrypts PHI (protected health information), it’s likely you’ll have to report it.”

The guidelines also recommend that organizations have contingency plans in place that can be set into motion when a security event occurs.

“Larger organizations probably already have contingency plans, but for the smaller guys, the guidelines give them a little more clarity about what HIPAA requires them to do and who to contact when something happens,” Kim explained.

Where’s My Data?

The requirement for organizations to put into place a security management process for risk analysis is a positive step, said Anthony DiBello, senior director and security strategist at Guidance Software.

As part of that analysis, organizations should take a proactive approach to identify, locate and control protected health information, he added.

“Too often, organizations don’t fully understand where sensitive information resides on their networks. When you hear estimates that 60-80 percent of stored information is dark data, — or data that organizations simply don’t know what it is — that creates a tremendous amount of risk,” DiBello told TechNewsWorld.

“Organizations must be able to answer questions about stored data,” he added, “such as, What is it? Where is it? How valuable is it? Who has access to it? Should they have access to it? and What kinds of rules should attach to them?”

The guidelines are helpful, but they could use more detail, said Lysa Myers, a security researcher at Eset.

“I would like to see a bit more about specific techniques and tactics to prevent malware, such as patch or update software regularly, show hidden file extensions, and block executable files sent in email,” she told TechNewsWorld.

Beyond Ransomware

Organizations with savvy management will benefit the most from the guidelines, said DiBello.

“These guidelines will only help healthcare organizations that fully understand the risks and impact of data loss at the C and board level, thus helping to ensure that the appropriate level of importance and budget is dedicated to solving this problem,” he said.

“Organizations that invest in people, processes and technologies designed to protect endpoints, respond to threats, and fully identify where sensitive information resides,” said DiBello, “will help avoid becoming a victim of a ransomware attack, and ensure the risk of data loss is minimized when the inevitable happens.”

The guidelines outline what any security expert would expect to see in any information security management system, and recommend measures designed to give organizations broad protection against cyberattacks, noted Garry McCracken, vice president of technology at WinMagic.

“Ransomware may be the topic of the day, but one should not focus too narrowly just on it,” he told TechNewsWorld. “An ISMS (information security manageament system) will help healthcare organizations better protect themselves in general, not just against ransomware.”

If followed, the guidelines could give healthcare organizations protection against a variety of attacks, Eset’s Myers maintained.

“By adding additional techniques like encrypting sensitive data when it’s stored or when it’s sent via the Internet, and using multifactor authentication,” she suggested, “they can significantly impact an organization’s level of risk.”

No Antidote for Bad Clicks

Even the best guidelines can’t address the core problem that has allowed ransomware to thrive, observed Stephen Gates, chief research intelligence analyst for NSFocus.

“Any new guideline that assists organizations in preventing, detecting, containing and responding to threats, especially ransomware, is a step in the right direction,” he told TechNewsWorld. “However, the question is, will guidance solve the bigger problem of the unsuspecting click?”

Proposing guidelines is one thing; having them followed is another, especially if they’re burdensome. However, that’s not the case with these rules, maintained Myers.

“While the techniques listed may require a significant change in how healthcare organizations handle data, these are not extraordinary measures by any stretch of the imagination,” she said. “Most of these things can be done with minimal purchase of new technology. Most of the cost will just be in terms of personnel power to implement new policies.”

Breach Diary

  • July 10. Twitter accounts of Yahoo CEO Marissa Mayer and Twitter cofounder Jack Dorsey briefly hijacked by hackers.
  • July 11. Netia, Poland’s second largest telecom, confirms hackers gained access to some of its customer data. The hackers claim they stole 14 GB of data from the telecom.
  • July 11. Amazon denies hackers’ claim that they stole 80,000 records belonging to Kindle users from one of the company’s servers. The company has confirmed that the information did not come from Amazon’s servers, and that the accounts in question were not legitimate Amazon customer accounts, it says.
  • July 11. Datadog, whose customers include AWS, Slack, MongoDB and Fastly, advises users to reset their credentials due to a data breach, ZDNet reports.
  • July 11. U.S. Department of Health and Human Services’ Office of Civil Rights issues guidance for healthcare providers for dealing with ransomware.
  • July 11. Ambulatory Surgery Center at St. Mary’s is alerting some 13,000 patients their personal information is at risk from a data breach discovered June 1, reports Bucks County Courier Times in Pennsylvania.
  • July 12. European Commission approves “Privacy Shield” that regulates the flow of data between Europe and the United States.
  • July 12. More than 50,000 payment cards at 49 of the 60 locations of Omni Hotels & Resorts are at risk due to a malware attack and data breach active between Dec. 23, 2015, and June 14, 2016, Dallas Morning News reports.
  • July 12. Pennsylvania Revenue Department announces it is alerting 865 taxpayers some of their personal information was compromised when a laptop was stolen from a rental car in San Francisco.
  • July 12. Security researcher Chris Vickery reports a misconfiguration error has exposed to the public Internet some of the internal security, surveillance and alarms systems of several Department of Public Safety buildings and at least one branch of Midfirst bank in Oklahoma.
  • July 12. Wildly popular Pokeman Go game’s user agreement contains a “ripoff clause” barring lawsuits by players in the event of a data breach and requiring complaints to be settled by arbitration, New York Daily News reports.
  • July 12. Federal magistrate court in St. Louis rejects class action lawsuit against retail brokerage Scottrade over data breach that resulted in the theft of confidential information of 4.6 million customers because plaintiffs did not show they suffered damages from the breach.
  • July 13. U.S. House Committee on Science and Technology releases report revealing Chinese hackers compromised computer systems at FDIC and planted malware on 12 workstations and 10 servers, including systems of the agency’s chairman, chief of staff and general counsel.
  • July 13. Armscor, a defense and arms supplier owned by the government of South Africa, is denying that classified data was stolen from its systems by Anonymous, which claims it stole the IDs of 20,000 Armscor suppliers, as well as customer names and passwords related to the site, International Business Times reports.
  • July 13. U.S. District Court in Maryland rejects class action lawsuit over a data breach at CareFirst and CareFirst of Maryland because allegations of possible future injury are not adequate to allow such a lawsuit to proceed in court.
  • July 14. Ward Solutions releases survey that finds nearly half of Irish businesses (46 percent) would not disclose a data breach because they feared adverse publicity.
  • July 14. Beaming releases study that finds cybersecurity breaches cost UK companies Pounds 34.1 billion in 2015.

Upcoming Security Events

  • July 23. B-Sides Asheville. Mojo Coworking, 60 N. Market St, Asheville, North Carolina. Cost: $10. July 30-Aug. 4. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before July 23, $2295; before Aug. 5, $2,595.
  • July 30-Aug. 4. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before July 23, $2295; before Aug. 5, $2595.
  • August 2-3. B-Sides Las Vegs. Tuscany Suites, Las Vegas, Nevada. Registration: limited free badges at door.
  • August 4-7. Def Con 24. Paris Convention Center, 3655 S. Las Vegas Blvd. and Bally Convention Center, 3645 S. as Vegas Blvd., Las Vegas, Nevada. Registration: $240, cash only at the door.
  • August 9. Delivering Data Security with Hadoop and the IoT. 6 p.m. ET. Webinar by HPE Security. Free with registration.
  • August 9. Cyber Security for National Defense Symposium sponsored by Defense Strategies Institute. Mary M. Gates Learning Center, 701 N. Fairfax St., Alexandria, Virginia. Registration: academia and non-profit, $450; industry/contractor, $925.
  • August 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
  • Sept. 7. FTC Fall Technology Series: Ransomware. 1 p.m. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
  • Sept. 7-8. International Cyber Security & Intelligence Conference. Ontario College of Management and Technology, 510-240 Duncan Mill Rd., Toronto, Ontario, Canada. Registration: students, $400.01; others, $700.
  • Sept. 8. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Cincinnati, Ohio. Registration: conference pass, $195; SecureWorld plus, $625; exhibits and open sessions, $30.
  • Sept. 10. B-Sides Augusta. J. Harold Harrison MD, Education Commons, 1301 R.A. Dent Blvd., Augusta, Georgia. Tickets: $20.
  • Sept. 14-15. SecureWorld Detroit. Ford Motor Conference and Event Center, 1151 Village Rd., Dearborn, Michigan. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Sept. 15. B-Sides St. John’s. Capital Hotel, 208 Kenmount Rd., St. John’s, Newfoundland, Canada. Free with registration.
  • Sept. 17. B-Sides St. Louis. Moolah Shrine, St. Louis, Missouri. Free.
  • Sept. 19-21. Iovation Presents Fraud Force “Fast Forward.” Portland Armory, 128 NW Eleventh Ave., Portland, Oregon. Tickets: $495.
  • Sept. 21. New York Cyber Security Summit. Grand Hyatt New York, 109 E. 42nd St., New York, New York. Registration: $250.
  • Sept. 26-28. The Newport Utility Cybersecurity Conference. Pell Center and Ochre Court, Salve Regina University, Newport, Rhode Island. Registration: before July 26, $1,200; after July 25, $1,600.
  • Sept. 27-28. SecureWorld Dallas. Plano Centre, 2000 E. Spring Creek Pkwy., Plano, Texas. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Sept. 29-30. B-Sides Ottawa. RA Centre, 2451 Riverside Drive, Ottawa, Canada. Free with registration.
  • Oct. 5-6. SecureWorld Denver. Colorado Convention Center, 700 14th St., Denver. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
  • Oct. 18. IT Security and Privacy Governance in the Cloud. 1 p.m. ET. Webinar moderated by Rebecca Herold, The Privacy Profesor. Free with registration.
  • Oct. 18-19. Edge 2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before August 15, $250; after August 14, $300; educators and students, $99.
  • Oct. 18-19. SecureWorld St. Louis. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
  • Oct. 27. SecureWorld Bay Area. San Jose Marriott, 301 S. Market St., San Jose, California. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before September 3, Pounds 1199 with VAT; before October 29, Pounds 1559 with VAT; after October 28, Pounds 1799 with VAT.
  • Nov. 9-10. SecureWorld Seattle. Meydenbauer Center, 11100 NE 6th St., Bellevue, Wash. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels