Advanced and changing ransomware infections (malicious software (malware) that fully encrypts data on the computer device attacked and/or those that steal data and then require you to pay for the decryption key) are becoming increasingly prevalent and costly every day. A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data. Malware infection may also carry additional malicious payloads including spyware applications that may be installed, including ones that exfiltrate usernames and passwords, non-public information (NPI), and other confidential information about the computer, the user, and the data, or may even use the user’s email contacts to spread the malware. Given how lucrative it is for those who deploy it, one can assume these attacks will continue for the foreseeable future. A current statistic published by McAfee™ stated that just one organization spreading ransomware made $121 million in the last year.
Fortunately, there are measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack. This article will highlight several relevant areas that, with proper implementation and assessment, will help support a health care entity’s efforts in ransomware attack prevention and recovery from a health care sector perspective. It also addresses guidance supported by the controls included in the Health Insurance Portability and Accountability Act (HIPAA). These controls can assist HIPAA-covered entities (CE) and business associates (BA) with prevention of and recovery from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.
While this article is intended to focus on the needs of CEs and BAs, several other business sectors and vertical markets such as those that store, process, transmit, and otherwise share personally identifiable information (PII) are likewise targets for ransomware attacks. They include banking, retail, not-for-profit, education, and government/municipalities sectors. Those sectors all have similar laws and regulations that require the protection of PII and the controls noted in this article can support their efforts, too.
In general, institutions that are victims of cyber-attacks involving ransomware extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s). In the event that an attack results in unauthorized access to protected data, the institution also has a responsibility to notify its federal and state regulators in accordance with the laws and regulations that govern their institution. Required notifications include those contained in HIPAA,1 the New York State Information Security Breach Notification Act,2 Gramm–Leach–Bliley Act,3 and other applicable state laws may apply based on the data owner’s permanent residence.4
Reprinted with permission from: Health Law Journal, Winter 2016, Vol. 21, No. 3, published by the New York State Bar Association, One Elk Street, Albany, New York 12207
Carl Cadregari is an executive vice president based out of our Rochester, NY office. This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.