HHS Fact sheet on Ransomware and HIPAA

HHS has produced an 8 page fact-sheet on Ransomeware and HIPAA that is fantastic. It is so good that I have very little to say as any emphasis I would add is already in the 8 pages. Just 8 pages, packed with very readable, reasonable, reasoned, and backed by long standing Security and Privacy
HIPAA Regulation. There is no need for new regulation, as it is indeed all covered.

Call to action

I recommend hospital leadership sit-down with the "Security" Office and "Privacy" Office; walk through this simple 8 pages. If ANYTHING in the 8 pages is surprising; then you have a big problem on our hands. There is NOTHING in this 8 pages that should be surprising.   This fact-sheet should be viewed by hospital leadership just like a contracted penetration report, except this is more well written. For example This quote from an HHS article:"Your Money or Your PHI: New Guidane on Ransomeware"
The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:
  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and report such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

Ransomeware is a Privacy Breach

The one point that did surprise me was the approach that an incident of Ransomeware is considered a Privacy Breach, unless proven otherwise. 
Some of the other topics covered in the guidance include: understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup. The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.
The point is that you must start with the conclusion that the data was breached, and prove that it was not. If the Ransomeware had access enough to encrypt, then it had access enough to have exfiltrated. 

The fact-sheet continues to explain this point, and explain it from may angles. It goes into express detail around a situation where the data that has been encrypted was already actively encrypted under the healthcare organizations encryption-of-data-at-rest. They nailed this one very nicely, and in few words.

Risk Assessment and Management Plan is not static

The one point of emphasis I would add is that the "Risk Assessment and Management Plan" that is indeed required by the HIPAA Security rule, also is required to be revised periodically 45 CFR § 164.306(e), states:
“Security measures implemented to comply with standards and implementation specifications adopted under § 164.105 [(the Organizational Requirements)] and this subpart [(the Security Rule)] must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI] as described at § 164.316.” 

Conclusion

I am very impressed and happy with all of the fact-sheets out of HHS. They have a very hard job of explaining difficult subjects to a huge and  heterogeneous. Made up of mature organizations and unprepared organizations. These fact-sheets should be viewed as an opportunity to exercise and investigate your working Security and Privacy plan.

Other articles I have on Security/Privacy Risk Assessment/Management

No comments