HIPAA Survival Guide Newsletter June 2017: Issue 90
Your HIPAA Compliance Companion
|
|
June 2017 Webinar
WannaCry - PostMortem Lessons Learned
|
|
Description:
This webinar will summarize the lessons learned by the healthcare industry from WannaCry & perform a postmortem on WannaCry's impact.
Date and Time, including Time Zone
June 15, 2017 2:00 EST
- Two new training videos are available: The Cloud & HIPAA and Phishing & Ransomware.
- Expresso® is now available as a Fifteen (15) day FREE Trial. More...
- Expresso® is also available as a MONTHLY SUBSCRIPTION. More...
- Expresso® supports multiple users with different security roles. More...
- Our Privacy Rule Checklist has been enhanced with an additional model form and policy, as well as an improved method for tracking Workforce training. More...
- We have added an Agile Methodology and Risk Management Framework ("RMF") product that compresses the time it takes our Subscribers to establish a "Culture of Compliance." More...
- We added a new educational video that describes how to run reports that can be filtered. More...
June Newsletter: WannaCry Lessons Learned & Post Mortem
|
Introduction
WannaCry was the "shot heard round the world!" It dominated both local, national, and international "news cycles" for several days. We are now more than a few weeks from the event and the public is still learning about additional infections. HHS responded to the blitzkrieg by publishing a recurring set of announcements providing mitigation strategies for the healthcare industry. Why? We suspect that HHS knows, as do the rest of us, that we have been fishing out of this pond for a while and the healthcare masses were (and remain) woefully unprepared for this kind of event.
We have crossed the Rubicon and there is no going back. In its recent guidance HHS has stated what we all know to be the obvious: the HIPAA Security Rule ("SR") is not the "end all and be all" of cybersecurity controls that the healthcare industry needs to put in place to respond to the "bad guys"...in fact it represents, according to HHS, nothing more than a floor. Here's the $$ quote:
It is expected that covered entities and business associates will use this process of risk analysis and risk management not only to satisfy the specific standards and implementation specifications of the Security Rule, but also when implementing security measures to reduce the particular risks and vulnerabilities to ePHI throughout an organization's entire enterprise, identified as a result of an accurate and thorough risk analysis, to a reasonable and appropriate level. For example, although there is a not a Security Rule standard or implementation specification that specifically and expressly requires entities to update the firmware of network devices, entities, as part of their risk analysis and risk management process should, as appropriate, identify and address the risks to ePHI of using network devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities. [Emphasis Added].
There is potentially a plethora of lessons learned from WannaCry, but HHS has focused on two that appear to be the most obvious and important (i.e. from both a mitigation and an enforcement perspective): (1) covered entities ("CE") and business associates ("BA") need to have policies, processes and tracking mechanisms in place that allow them to meet the SR's Contingency Standard (i.e. visible, demonstrable, evidence or "VDE"-essentially Disaster Recovery); and (2) scanning your network on a periodic basis are the only ways to get "ahead of the curve" with respect to a WannaCry-like attack. Not doing so is facially likely to amount to "willful neglect" penalties-which start at $50K per violation.
The first lesson learned above HHS (and almost every other commentator) was made expressly. The second is implicit in the quote above and something we will discuss more at length below.
What is Ransomware?
Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a CE or BA's computer and PHI, usually by encrypting the data with a key known only to the "bad guys" who deployed the malware, until a ransom is paid. After the PHI is encrypted, the ransomware directs the CE or BA to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin because the latter is virtually untraceable) to receive a decryption key. However, the "bad guys" may deploy ransomware that also destroys or exfiltrates PHI, or ransomware in conjunction with other malware that may have unpredictable motives and objectives. Ransomware is not necessarily the result of a "hack" per se, there are many ways to compromise your network's perimeter that include low-tech but highly sophisticated social engineering schemes such as Phishing.
What is the cost of Ransomware?
Although allegedly (circa May 23, 2017) the WannaCry perps have only collected $50K USD, this estimate is likely to increase significantly, given the built-in estimating demands of the ransom (e.g. the longer you wait to pay the more $$ it costs). In 2016, it is estimated that the cost of ransomware reached $1.5 billion, according to market researcher Cybersecurity Ventures. However, that number includes lost productivity and the cost of conducting forensic investigations and restoration of data, all of which makes actual cost data notoriously hard to estimate. The same is true for breach notification costs. And, more insidious yet, some ransomware attacks will also result in breach notification costs (e.g. in those cases where the underlying PHI was not encrypted according to NIST standards). In any case, it can be stated with a fair degree of certainty, that every organization infected will face non-trivial recovery costs, even if breach notification costs and civil monetary penalties are not factored in. The impact is likely to be perhaps the most severe for the SMB marketplace, where the talent gap for dealing with these kinds of attacks is the widest (often non-existent).
|
|
What is the cost of non-compliance?
"How much is your data worth to you?" You may not know the answer to this question but the "bad guys" certainly do, because they have been making millions from it. Data is the new oil. It will dominate the 21st century the way oil did in the 20th. Sure the $$ haul from the WannaCry attack has not been all that impressive so far, but the damage done cannot simply be calculated by the amount of the ransom paid. Reputation costs, breach notification costs, and the potential for patient harm must all be part of liability calculus. Unfortunately, the healthcare masses remain extremely vulnerable; unfortunately, unable to catch their breath long enough to realize that the status quo has been obliterated, not merely altered incrementally.
Although this isn't the first wave of ransomware proliferation, the technique has been used for decades; and now it may be the largest and most dangerous yet for several reasons. First, the sheer number of ransomware programs being created by novice and expert criminals alike increases the likelihood that your computer system will suffer an attack. The sheer amount of ransomware vectors in the wild also proves difficult for "good guys" to keep up with. Second, the sprawling variety of ransomware infection methods means that healthcare stakeholders must constantly become aware of new attack vectors while trying to live and work in a fast-paced world, where their workplace efficiency has already been stretched near the breaking point with the relentless Darwinian search for improved margins.
Third, ransomware is becoming increasingly sophisticated. Many methods encrypt your data and then threaten to destroy the private (decryption) key if your payment isn't made by a certain deadline. Ransomware encryption algorithms are getting stronger and the decryption keys are less likely to be discovered to regain control of your data as they were in the past. In short, the "Bad Guys" are getting smarter. When ransomware is done well and adequate preventive measures and incident response procedures aren't in place, the choice is exactly what the extortionists want; pay or lose it all.
Finally, heretofore, there are no documented cases where ransomware has led to the injury or death of a patient. Unfortunately, this will happen sooner rather than later. In the ransomware attack in Melbourne Australia the bad guys allegedly started changing patient data until the ransom was paid. For the U.S. healthcare industry, ransomware takes HIPAA compliance out of the "necessary evil" realm to an issue front and center with respect to patient safety. There is simply no going back to the good 'ole days of HIPAA where the dirty little secret was that HIPAA was an unenforced paper tiger, with a maximum penalty of $25K. This is simply not your Daddy's HIPAA anymore!
Remediation
Scan, Scan, Scan. Education, Education, Education. The healthcare masses are basically illiterate when it comes to privacy & security, let alone nuanced subject matter area such as ransomware & phishing. There is simply no way to comply with the HIPAA Security Rule ("SR") without periodic network scans-at least once a quarter at-a-minimum! But for network scanning, it is highly improbable that organizations would have discovered and mitigated the impact of the "WannaCry" ransomware in a timely manner. The consensus today among cybersecurity experts is that your network's perimeter can no longer be defended. You are therefore forced to assume that your network has, or will be, penetrated. No number of firewalls, proxy servers, and other perimeter defense mechanisms can prevent your adversaries from readily penetrating your outward facing defenses. Of course, that does not mean that you do not continue to use these defenses, you must. However, you must also assume that sophisticated adversaries will find a way in, and the critical question becomes "what happens then?" There are some experts that suggest that the best you can do is to apply your efforts toward significantly reducing the "dwell time"-that is, the amount of time that your adversary has already spent within your perimeter "poking around" for vulnerabilities to exploit.
Regardless how you choose to attack this challenge, regular periodic scans must be one of the tools in your toolset. Although the HIPAA Rules do not expressly state that network scans ("Scanning") must be performed-it is inferred by HHS as a kind of "rule of reason;" because compliance with other parts of the Rules would be impossible without it!
Fail to scan and you are likely staring down the barrel of "willful neglect."
|
Expresso® "FREE Test Drive"
|
Just click on the Act Now Button below and fill out the information and our Customer Service Staff will set up your Free 15 Day Expresso® Test Drive and arrange a "Go To Meeting" session to review how you can do your HIPAA Risk Assessment in 3 hours or less.
Expresso® is an easy to use Risk Assessment software that allows you to detect risks, threats, security objects, and vulnerabilities to PHI and identify impacts and assign controls at a glance!
Expresso® allows you to do a Baseline Risk Assessment in 3 Hours or less! Our "Quick Start Guide" gets you off and running to complete your first Risk Assessment. Expresso® comes pre-populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete a Baseline Risk Assessment.
You Can:
1) Perform a Baseline Risk Assessment in a matter of hours;
2) Bulk import Security Objects: people, places, assets, processes and apply Security Controls;
3) Track the results of the Controls applied; and
4) Retain instances of past Risk Assessments for reporting purposes.
HIPAA Requirements for the
including Policies and Procedures
Included in the HIPAA Survival Guide Subscription Plan
HIPAA Compliance Products:
|
|
Protect Your Practice and Your Business
|
|
Click Here for HIPAA Survival Guide Subscription Plan Testimonials
Give Your Organization's Compliance Initiative The Boost It Needs To Survive A HHS Audit With The HIPAA Survival Guide Subscription Plan With Expresso®
|
|
 |
|
|
|