By John Sharpe and Kim Rhoades
In May, “WannaCry” ransomware attacked nearly 150 countries. In June, the “Petya” virus spread over the globe in a matter of hours (initially thought to be a ransomware attack; at the time of this writing some are theorizing that Petya was a disguised cyberwar attack). The health care industry was not immune to these attacks and many hospitals in England were affected. WannaCry locked doctors out of patient files and disrupted operating schedules, potentially endangering lives.
The federal government has issued information and guidance that impacts Medicare and Medicaid health care providers. In response to the WannaCry incident, U.S. Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness & Response issued an update specifically addressing the threat of ransomware attacks to health care organizations. The update includes a link to a previous ASPR “TRACIE” newsletter focused on cybersecurity and cyber hygiene. In June, HHS ASPR issued the report from the Health Care Industry Cyber Security Task Force.
In addition, on June 2, HHS’s Centers for Medicare and Medicaid Services issued guidance impacting multiple provider and supplier types eligible for participation in Medicare. It requires providers and suppliers to develop and maintain a comprehensive emergency preparedness program covering a variety of hazards, including cyberattacks.
Here are some brief tips from those ASPR materials for those entities that operate in the health care field.
The most common delivery mechanism for a ransomware attack is through a malicious file attached either through a link or attachment. The file may contain hidden extensions that contain executable files or lead you to a malicious website. This is a frequent warning, but the best defense is to train your employees to be wary. Only open emails you are expecting from people you know. If you receive an attachment or a link from a colleague that you were not expecting, before opening, take a minute and call to verify. Malicious actors count on you acting quickly without thinking. Stop before opening something if you are not 100 percent certain of the source.
Keep up to date
WannaCry was addressed by a Windows security patch weeks before the current attack. Patched systems were not infected. Keeping your system up to date and properly patched can prevent a nightmare scenario.
If you are a victim, HHS recommends that your contact your local FBI field office immediately to report the attack and request assistance. HHS further recommends that your organization report the incident to the United States Computer Emergency Readiness Team and FBI Internet Crime Complaint Center. A ransomware attack can have HIPAA implications.
An attack on a health care organization is considered a reportable breach unless the organization can prove the data was encrypted or otherwise unreadable. If the organization cannot show this, then the breach must be reported within 60 days of discovering the attack. Failure to adhere to this timeline has resulted in a major fine under HIPAA on at least one organization. A breach response cannot be forgotten in the chaos and must be handled within the required timeframe.
Health care providers have invested substantial resources over the last two decades developing and implementing electronic systems for managing patients, treatments, data and records. Now protocols are needed to manage these activities if the technology becomes inaccessible. How each provider prepares will be specific to its services and supplies, but each response plan must include the following:
1. A multidisciplinary response team. At a minimum, the team should include:
• A leader (directs and facilitates activities)
• A logistics coordinator (administratively supports the team)
• Communications (coordinates all internal and external communication)
• Legal/regulatory (legal and compliance recommendations)
• IT (provides incident impact information and updates to resecuring the data)
• Operations (provides operational and financial impact information).
There are a growing number of lawyers who are bilingual (speak tech and law!) who can help bridge any communication gaps among members of the team.
2. Incident notification. The plan should describe the who, what, when and how a cyber-incident should be reported to management and law enforcement as well as identify the external stakeholders and the timeframe for sending notification to them. The following resources provide information about the legal reporting requirements:
• HIPAA Breach Notification Rule
• HHS HIPAA Breach Notification Form
• Complying with the FTC’s Health Breach Notification Rule
3. Investigations. The plan should provide for a forensic investigation to identify how the breach occurred, how the damage can be minimized and how similar attacks can be prevented in the future. Coordination with law enforcement should be addressed. Depending on the facts and complexity of the case, assistance from an outside firm may be advisable.
4. Internal communications. Employees need to receive clear and consistent messages to minimize rumors and uncertainties. Details of what occurred may not be available, but the initial communication should let staff know of the issue and remind them of applicable policies and procedures concerning confidentiality, contact with media and record retention. The plan should also identify timelines for internal and external communications.
5. Media communications. Internal or external media relations experts should be consulted to design the talking points which accurately but succinctly describe the nature of the breach, the potential harm and recommended actions.
6. Remediation. Once the investigation is complete and the cause and impact identified, the response plan needs to address steps to eliminate a recurrence and reduce the harmful impact to victims. The remediation portion of the plan should address:
• Updating software, policies and procedures implicated in the breach investigation.
• Training staff or retraining on preexisting protocols on data, privacy and security that were not followed and consequences for the failure to follow the protocols.
• Securing privacy or credit monitoring services for victims.
• Establishing a process and timeframe for regular audits of the security and data protection systems, including detection exercises with a third party.
• Debriefing and analyzing the preparation and pre-attack drills to identify if staff were adequately prepared to carry out essential services during the event.
The following resources provide additional guidance:
• Ransomware Q & A
• Current information on attack
• Indicators Associated with WannaCry Ransomware
• Additional Information on Ransomware
• HHS Update #3: International Cyber Threat to Healthcare Organizations
• Request an unauthenticated scan of public IP addresses from DHS: Contact them for more information at NCATS_INFO@hq.dhs.gov
• John Sharpe and Kim Rhoades are health care attorneys at Taft Stettinius & Hollister LLP. They can be reached at firstname.lastname@example.org and email@example.com. The opinions expressed are those of the authors.