There’s a new threat to your patients’ data from ransomware.

Some of the biggest and most successful ransomware organizations, including REvil (Sodinokibi), have announced that they are not just encrypting data. They are stealing data before they encrypt it, and then threatening to publish the stolen data if the ransom is not paid. These criminal organizations know that if you are regulated by HIPAA or GDPR, you face hundreds of thousands in fines and notification costs for data breaches. These five steps can help you reduce the risk of ransomware and survive a ransomware attack without losing your business if, despite your best efforts, you are a victim of ransomware.

In the past, you could determine that the incident was not a breach if you were able to restore from a secure backup, document your security incident response procedure, and demonstrate a low probability of compromise based on four breach risk factors. Now, your breach risk assessment will likely fail the factor "Whether the protected health information was actually acquired or viewed" (45 C.F.R. § 164.402). Ransomware organizations have announced their intention to access and steal data and some have followed through on that threat. If you are a victim of a ransomware attack after November 2019, you can no longer rely on the ransomware business model of "locking not stealing" data. You have to prove that the hackers did not have access to view or copy data. This is now almost impossible to prove because forensics experts can't rely on the pattern of past ransomware attacks to support their findings. They must provide logs and physical evidence to prove that your data was not accessed or stolen – logs and evidence that is usually destroyed by the ransomware.

Under HIPAA, you are required to implement reasonable precautions to prevent ransomware attacks and create a response plan if an attack encrypts your data. These five steps will help you do both. Ignoring the threat of ransomware can mean losing your business if you aren't prepared.

1. Conduct a HIPAA Risk Analysis.
   Required annually (or as appropriate) by HIPAA, a risk analysis is the first step to identifying what you can do to reduce the risk of a ransomware attack. It’s more than just an IT assessment, so make sure that your risk analysis includes the administrative, physical, and technical safeguards that must be addressed in the HIPAA Security Rule. Click here to see a list of the HIPAA Security Rule standards and implementation specifications.
2. Implement security measures to reduce the risk of ransomware attacks.
   Your risk analysis should help you determine what is appropriate for your office to reduce the likelihood that a ransomware attack will occur and the impact if one does occur. Network security, Windows updates, endpoint security, and backups aren’t the only security measures that may be reasonable and appropriate for your office. Good security requires layers of security measures and the appropriate measures will depend on the types of IT systems you use.
3. Create a security incident response procedure and plan for ransomware.
   You should have a security incident response procedure and plan in place for ransomware, as well as other threats to your patients’ data, as required by Security Incident Procedures 45 C.F.R. § 164.308(a)(6)(i) and Response and Reporting 45 C.F.R. 164.308(a)(6)(ii).
4. Review your cyber insurance coverage.
   Cyber insurance can help you with costs after an incident occurs. Not all policies are the same, so make sure you review your coverage with your insurance agent or broker. Ask about coverage and estimated costs from the new threats of ransomware – threats to publish data if a ransom is not paid. Remember, cyber insurance isn’t a replacement for a risk analysis or security measures implemented to prevent an attack, just like home owner’s insurance isn’t a replacement for good locks and fire extinguishers.
5. Maintain your HIPAA compliance documentation.
   Your risk analysis must be dated before a ransomware attack, not after. Just as your policies and procedures should be in place before an incident occurs. This can help you avoid costly HIPAA fines (some covered entities have been fined $150,000 and more for failure to perform a HIPAA risk analysis) and help you respond to a federal investigation following a breach. The Office for Civil Rights (OCR – the agency who enforces HIPAA) will request dozens of documents, starting with your risk analysis, and you will only have 30 calendar days to respond to the request.

LayerCompliance can help.

If you aren’t sure where to begin, we can help. Call us today 1-800-334-6071 to find out more about LayerCompliance and how our team of experts have helped our clients prevent ransomware attacks and survive the aftermath of ransomware attacks.