Health Information Compliance Alert

Tip: Ransomware attacks usually warrant a forensic team.

Cyber criminals don’t take a break — even in the midst of a pandemic. And with many providers busy fighting COVID-19 on the front lines, data security may be falling to the wayside, leaving the door open for hackers.

Problem: With their abundance of sensitive patient data ripe for the taking, hospitals and other healthcare facilities remain vulnerable targets, especially during these trying times. Many providers are operating in crisis mode, strapped for cash, and pushing IT issues to the back burner.

In addition, HHS Office of Inspector General (OIG), the Federal Bureau of Investigation (FBI), and others have reported increased cyber activity, including coronavirus phishing, COVID-19 texting scams, and malware infiltrations. Experts warn that healthcare could see an influx of ransomware attacks in the coming months, too.

Reminder: Covered entities (CEs), their business associates (BAs), and their patients are particularly vulnerable to “targeted” ransomware attacks, the HHS Office for Civil Rights (OCR) stresses in its Cybersecurity Newsletter. “In such incidents, ransomware can be customized and deployed based on the size and sophistication of a potential victim,” explains OCR. “The ransom demands for this type of attack are often set according to the victim’s perceived ability to pay,” the agency adds.

First, Prevent and Mitigate Risks

CEs are required to analyze and manage their risks as part of the HIPAA Security Rule. Not only do they need to follow through on these steps because it is required under the law, but CEs and their partners should do this to protect their patients’ electronic protected health information (ePHI) — and essentially their bottom lines.

Breach prevention starts with a thorough assessment of your organization’s IT practices, software, hardware, training, and more. Next, the information gleaned from the audit is analyzed. This analysis is used to make a compliance plan with the goal of mitigating data security risks and decreasing the chances of HIPAA violations. Finally, your IT staff or vendor implements measures to maintain and manage risks (i.e. password controls, logging and monitoring, patch updates, etc.).

Unfortunately, there’s no end to the nefariousness of cyber attackers, and even the savviest tech departments experience data security issues. The key is sifting through the clues that led to the outage — and ensuring it doesn’t happen again.

“If you’re attacked, get the best information security experts you can afford to see if there is a way out and to keep from damaging any evidence you may need to preserve,” recommends HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont.

Understand the Reasoning Behind a Forensic Investigation

If you find yourself on the wrong side of a data security breach, the best way to get answers is with an in-depth forensic investigation of your systems. Neither OCR nor the HIPAA Security Rule mandate this kind of check-up, but their findings often reveal things that your IT personnel may have overlooked.

“Forensic investigators provide an independent set of investigative eyes,” advises Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah. “A forensic team is typically engaged if you believe your systems have been compromised but don’t know the extent of the breach, or whether it is a reportable breach under HIPAA rules.”

These specially trained teams find answers and uncover the security vulnerabilities that led to the breach in the first place, Stone suggests. “Even when IT groups believe that they’ve discovered the source of the compromise, forensic investigators routinely find evidence that was missed and the security weaknesses that will, when corrected, prevent the hackers from succeeding the next time,” she explains.