300%* increase in daily ransomware attacks since 2015: top concern for U.S. HHS
*United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware available at https://www.justice.gov/criminal-ccips/file/872771/download
U.S. healthcare organizations must become far more proactive about mitigating ransomware threats before they turn into attacks — and, in the event of an exploit, you must rapidly disclose a data breach to the U.S., your customers and partners.
New HIPAA guidance has come out in response to an alarming increase in daily ransomware attacks against U.S. healthcare organizations—putting the security of PHI at unprecedented levels of concern. But should this really come as shocking news to you? After all, physicians, nurses, technicians, administrators and other healthcare professionals are viewing and editing PHI increasingly on mobile devices (including BYOD) over which your IT risk/security teams simply cannot adequately monitor using only EMM and MTD. Clearly, new IT solutions are needed for PHI’s new risk landscape in the age of mobility.
Ransomware is a type of malware that encrypts patient data (PHI) so that it cannot be used until a ransom is paid to a hacker to receive a special key to decrypt the stolen data. Ransomware is also used in conjunction with other malware by the hacker community to destroy or transfer patients’ healthcare data.
Unchanged in the HIPAA guidance are cyber-security recommendations that your healthcare organization is responsible for, at the minimum:
- Identity cyber-risks and craft a plan to manage the risks, such as limiting access to sensitive patient information only to people who really need it
- Establish explicit policies to protect your systems from malware
- Educate end-users to 1) recognize malware 2) follow your cyber-security policies and procedures
New to the HIPAA guidance are deeper clarifications about your responsibilities to fight ransomware attackers by upgrading your IT security and policies in three critical areas Disclosure, Detection and Education.
“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware.”
—Jocelyn Samuels, Director, HHS Office for Civil Rights
1. Disclosure must be rapid
The State of California has often set the precedent in cyber-security matters for sweeping initiatives across the U.S. New HIPAA guidance may reflect California’s 2016 new law to expedite disclosures (of data breaches). Your disclosure responsibility in being a healthcare organization handling ePHI starts with the primary means by which your patients, partners, workforce and local, State and U.S. governments can recover from a breach. Delaying disclosures only exponentially increases risk and damages across your value chain.
2. Detection must be proactive
The new HIPAA guidance asks for an improvement in your healthcare IT security that may seem like something easier said than done:
…conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI [that healthcare] entities create, receive, maintain, or transmit…
The HHS recommendation is meant to counter the voracious speed and persistence of today’s malware attacks: the only way to stay ahead of ransomware attackers is to stop their threats before they turn into attacks—become proactive about malware defense. But how do you detect malware threats that have yet to attack when your healthcare organization is only set up with traditional IT security tools designed to react to attacks?
If your healthcare organization is like most, your mobile IT security may rely solely on very powerful but reactive tools called EMM (Enterprise Mobility Management) and MDM (Mobile Device Management). Perhaps, your mobile IT risk and security strategy has also leveraged containerization, VPN tunneling and other mobile endpoint protection tools—all designed to be reactive measures.
Mobile Threat Defense (MTD) is a new breed of endpoint protection that offers proactive and predictive capabilities to root out ransomware and other malware—while integrating with your existing EMM/MDM tools to preserve their powerful reactive IT security capabilities. With the addition of MTD, your healthcare organization can follow the new HIPAA guidance without disruption to your architecture and budgets. Easy said and easy done.
3. Malware education should be painless for users
Jocelyn Samuels, Director of the U.S. HHS Office for Civil Rights, notes that “ransomware typically gets onto a system through malicious email attachments or links to malicious websites, both of which can be addressed… with employee education.”
Malware education boils down to a question of what cyber-security recommendations can be ignored vs. what actually sticks with users? So many ransomware and other malware attacks continue to originate from risky user behavior, i.e., opening email attachments that shouldn’t be opened.
Making malware education more effective for your healthcare users means making malware education painless. At Skycure, we emphasize the incredible importance of providing users with easy-to-understand notifications on their devices that pop-up with the right context—helping users understand exactly how and why their behavior was risky. Gently guiding users (especially with BYOD users) away from risky actions is an irreplaceable strategy to maintain HIPAA compliance.
Skycure Mobile Threat Defense | Healthcare Solutions
Turn the lights on the ransomware threats to your healthcare organization and defend all devices—including BYOD—without infringing on user privacy and productivity. Get a FREE Skycure trial today. Also, learn how to upgrade your EMM/MDM with mobile threat defense to get proactive and predictive about HIPAA-compliant mobile IT security.