Staying HIPAA Compliant in a Post-Wannacry World

On Friday, May 12th, 2017 one of the largest cyberattacks in recent history was launched by a still unknown hacker group. The virus, named Wannacry, uses ransomware to encrypt user data which holds their whole computer hostage and demands a payment before the data is unencrypted. As of the time of this blog’s publication, Wannacry has affected 430,000 computers in 150 countries. Additionally, millions of people have been affected by secondary ripple effects, mostly notably when Britain’s entire National Health Service was forced to suspend all non-emergency health care services because their national IT network had been affected by the virus. As for now, it appears that the tide has been stemmed and few new incidents are being reported.

The basis for the existence of Wannacry is a Window’s vulnerability named EternalBlue. It was originally discovered by the NSA, but they held back knowledge of it from Microsoft in hopes of developing the vulnerability as an offensive weapon. Microsoft learned about it at the same time as the general public, when a hacker group called ShadowBrokers released it as part of an NSA dump on the dark-web. Microsoft hurried to repair the vulnerability with a patch, but many users failed to run Windows Update by the time the virus was released. The virus only affected systems that did not have the critical patch, which includes all Microsoft operating systems that are no longer supported (Windows XP and Vista) and machines that had not run windows updates.

This attack was not an isolated incident. According to the anti-virus megacorp Symantec, ransomware attacks jumped by more than 33% in 2016 to over 483,800 incidents total incidents. Fortunately, protecting yourself from a ransomware attack is not difficult. We’ve compiled a list of the three most important steps to ensure your data stays secure given the current threat of further ransomware attacks.

1) Backup your data NOW

A ransomware attack could come unexpectedly, best practices are to be proactive and to back up all of your data frequently. At the bare minimum, data should be backed up once annually. World Backup Day, March 31st, is a good time to do so. One easy and quick way to achieve this is through the use of cloud storage services. This is a particularly robust option due to the fact that your data will be backed up in an alternate and often decentralized location. Also, you can set many cloud storage services to backup your data automatically. Here is a list of some HIPAA compliant cloud storage services.

It’s also strongly recommended to periodically backup your data on physical devices such as external hard drives in case of cloud service disruption. Just remember, both cloud and physical storage of PHI come with their own risks so you should have policies and procedures in place to to address those risks and mitigate them.

2) Migrate older operating systems and patch current operating systems

The WannaCry virus preyed on one of the most low level vulnerabilities, out of date operating systems. It is imperative that the OS on your computers containing sensitive data are up to date. Below are 3 ways to achieve this.

  • If your organization has an IT department

    • Ensure that your IT department has the staffing, financial, or technological resources that it needs to roll out critical patches when they are issued. Check-in with the IT team to understand what their patch policy is and whether there are any roadblocks that are preventing them from patching regularly.

    • The critical patch can be downloaded here and pushed out to your organization by your IT department.

  • If you manage your own IT

    • Always ensure that your Windows operating system is updated as quickly as possible.

    • Instructions for manually updating your computer can be found on the Microsoft website.

    • You can also turn on Automatic Updates to receive the newest updates right away.

  • If you’re running Windows XP or Vista

    • You need to migrate to a newer operating system as soon as humanly possible.

    • As of April 11, 2017  Microsoft’s support for Windows Vista ended. All machines running Vista are highly susceptible to malware infections and should be upgraded immediately.

3) Create a ransomware incident response plan

Sometimes, despite our best efforts, malware attacks occur. That is why it is vital to create an incident response plan and mitigate the potential for harm. According to a recently released HHS guidance, a ransomware incident response plan should accomplish the following:

  • Detect and conduct an initial analysis of the ransomware.

  • Contain the impact and propagation of the ransomware.

  • Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation.

  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations.

  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

Don’t worry if the specifics of how to achieve the steps in the guidance seem vague. A qualified HIPAA professional can guide you through the creation of a robust incident response plan that satisfies the HHS requirement.  

According to malware guru Lawrence Abrams: the Wannacry attack has enjoyed such an impressive level of success that copycats will invariably arise and the frequency of ransomware attacks will begin to increase at an even faster rate. This is a cause for concern for everyone in the healthcare industry. But with the implementation of these three steps, you’ll be ahead of the game and ready to respond as effectively as possible.