Your organization’s security risk analysis and security awareness training are the best defense against nefarious cyber criminals. In reviewing breaches from 2017, cyberattacks with ransomware brought organizations to a standstill if they lacked a pre-emptive back-up plan for the data hostage situation; a few had no choice but to succumb to the hackers’ payment demands. When healthcare entities were the intended ransomware targets, breach of protected health information (PHI) was not their only concern— the delivery of patient care was significantly altered or even completely blocked. To mitigate your organization’s potential security risks for 2018, specific areas to address must include your staff’s awareness of phishing emails and proper termination procedures for employee access, if necessary.
As part of security awareness training, your staff must understand the potentially disastrous effects of phishing emails. Tips on detection of phishing emails should include methods of reporting to prevent other employees from possibly falling victim to the same scam. One notable scheme in 2017 involved a fake survey sent to employees’ emails at a healthcare center. Hackers gained access to the accounts of those employees who submitted the survey and were able to re-direct the employees’ paychecks into the hacker’s bank account. During the investigation, it was also determined that the email accounts contained patients’ PHI. Although uncertain if the hacker actually accessed the PHI, the HIPAA breach notification protocol had to be followed, including costly identity theft monitoring for those affected.
Knowledge of common phishing email schemes will help staff realize how sneaky the cybercriminals can be. Simply clicking on a link, attachment or just opening an email may allow the hacker to insert malware, ransomware or a virus. Employees should exercise caution if they receive an email letter from their CEO or another executive in the organization even when appropriate logos are present. An email containing multiple misspellings or poor word structure should always give pause. An email request for password information should be a glaring red flag. Staff should always avoid URLs beginning with http://. The S in https:// stands for “secure”, encrypting the data exchange to prevent others from eavesdropping on the computer communication. Any URLs lacking the domain name of the specific organization immediately following the https:// are also suspect.
Termination of employee access may be necessary to maintain the security of the organization. Access must be terminated immediately upon employee termination. While a breach may result from a current employee’s malicious intent, other breaches have been attributed to unauthorized access by prior workforce members whose access was not appropriately terminated. In November 2017, the Office for Civil Rights (OCR) issued guidance on how to terminate electronic and physical access when an employee quits or is terminated. A few of the key steps include the following: notification of the IT department or security official; deactivation or deletion of user accounts; retrieval of all remote devices; and erasure of any ePHI on personal devices. Procedures should also be in place for any changes to employee job descriptions and how the level of access should be altered to reflect the new job classification.
Unfortunately, many of these cyberattacks on the healthcare industry were not easily prevented such as the multiple attacks by the infamous TheDarkOverlord (TDO). Due to the serious ramifications of ransomware attacks on healthcare facilities, the OCR issued guidance on what to do in this hostage situation. The following processes are recommended for security incident procedures:
- detect and conduct an initial analysis of the ransomware;
- contain the impact and propagation of the ransomware;
- eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
- recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and
- conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of PHI), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.
Since it’s that time of year to report all breaches affecting under 500 individuals, be sure corrective action has been implemented in your organization to prevent any possible recurrences. Most importantly, your employees must be aware of any changes to your security policies and procedures for 2018.