Incidents of cybercrime, like cyber extortion, are rising in the healthcare industry and will continue to be a major source of disruption for providers in the coming years. In order to help combat this crime, the Department of Health and Human Services’ Office for Civil Rights (OCR) has released further guidance describing what cyber extortion is and what to do if a healthcare organization becomes a victim.
OCR’s January Cybersecurity Newsletter listed the various forms of cyber extortion and things healthcare organizations can do to reduce the chances of becoming a victim. “Cyber extortion can take many forms, but it typically involves cybercriminals’ demanding money to stop (or in some cases, to merely delay) their malicious activities, which often include stealing sensitive data or disrupting computer services,” the OCR newsletter stated. “Organizations that provide necessary services or maintain sensitive data, such as Healthcare and Public Health sector organizations, are often the targets of cyber extortion attacks.”
Ransomware is a common form of cyber extortion, where attackers deploy malware targeting a healthcare organization’s data that renders the data inaccessible, usually through encryption, OCR stated. Attackers then demand payment to unencrypt a provider’s data. Paying this ransom, OCR noted, may not result in an organization getting all or even a portion of its data back. OCR recommends providers read a fact sheet that provides guidance on preventing and responding to ransomware attacks for HIPAA-covered entities and their business associates.
Another common form of cyber extortion is Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks direct a high volume of internet network traffic at a targeted computer that renders the computer unable to function or appear inaccessible to legitimate users, OCR said. “In this type of attack, an attacker may initiate a DoS or DDoS attack against an organization and demand payment to halt the attack, or the attacker could threaten an attack and demand payment to not initiate the attack,” OCR stated. OCR recommends providers read another tip sheet it developed for identifying possible DoS or DDoS attacks and taking steps to prevent them.
“Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, organizations must continue to be vigilant in their efforts to combat cyber extortion,” OCR wrote. OCR recommends healthcare organizations take the following steps to reduce the chances of being a victim of cyber extortion:
- Implement a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization.
- Implement robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis.
- Train employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization.
- Deploy proactive anti-malware solutions to identify and prevent malicious software intrusions.
- Patch systems to fix known vulnerabilities that could be exploited by attackers or malicious software.
- Harden internal network defenses and limit internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software.
- Implement and test robust contingency and disaster recovery plans to ensure an organization is capable and ready to recover from a cyberattack.
- Encrypt and back up sensitive data.
- Implement robust audit logs and review such logs regularly for suspicious activity.
- Remain vigilant for new and emerging cyber threats and vulnerabilities (for example, by receiving United States Computer Emergency Readiness Team alerts and participating in information sharing organizations).
For more information on cybersecurity resources from OCR, visit www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html.
Chris Dimick (firstname.lastname@example.org) is editor-in-chief at Journal of AHIMA.