Ransomware criminals have been going after Hospitals, Clinics, Radiologists, Physician practices and all manner of organizations in the medical sector. These are “Covered Entities” in HIPAA compliance lingo. In response to the Ransomware threat the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made this strong statement this last week:
“OCR is sharing the following alerts from the White House and Cybersecurity and Infrastructure Security Agency (CISA). Organizations are encouraged to review the information below and take appropriate action.
White House Memo: What We Urge You To Do To Protect Against The Threat of Ransomware
Anne Neuberger the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology has released a memo titled “What We Urge You To Do To Protect Against The Threat of Ransomware.”
Here is the link in full:
https://www.whitehouse.gov/wp-content/uploads/2021/06/Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf
In addition to the White House guidance, HHS/OCR provides this fact sheet and guidance:
https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
These are short documents that are non-technical in nature and provide clear guidance for any Covered Entity under HIPAA data security requirements. If you have management responsibility in any healthcare organization, these are probably the most important things you can read right now. If you are an IT or security professional in a healthcare organization, use this information to inform and motivate your management team.
Here are few quick takeaways with a focus on encryption and avoiding breach notification:
- Encrypt your patient information (ePHI) wherever it resides (servers, laptops, mobile phones, etc.). Here is what HHS/OCR says:
“If the electronic PHI (ePHI) is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer “unsecured PHI,” then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”
Interpretation: Encryption is your “Get Out of Jail Free” card. If you do it right.
- Full Disk Encryption (FDE) is not enough:
“If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user.
Because the file containing the PHI was decrypted and thus “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed. Under the HIPAA Breach Notification Rule, notification in accordance with 45 CFR 164.404 is required unless the entity can demonstrate a low probability of compromise of the PHI based on the four factor risk assessment (see 45 C.F.R. 164.402(2)).”
Full disk encryption is pretty easy to deploy. However, it just does not provide enough security. Use database or application layer encryption that provides more granular control over the decryption of ePHI. Self-Encrypting Drives (SEDs) and full disk encryption will not pass muster.
- Encryption Key Management is essential
You’ve heard this expression:
“A chain is only as strong as its weakest link.”
In an encryption strategy the weakest link is usually encryption key management. The encryption key is the secret you need to protect. Storing the encryption key on the same server or device as the ePHI will never be an acceptable practice. Always use a professional encryption key management solution that protects and stores the encryption key away from the sensitive ePHI data.
Encryption is not the only security effort you need to make, but in my experience it is the one thing healthcare organizations tend to ignore. I think this is because the HIPAA law considers encryption an “addressable” security control. This means you are not required to do it IF you have other equivalent controls in place. But if you are not encrypting your data and you have a data breach through Ransomware or other cyber attack, then you have “ipso facto” not protected your information well enough and you are in for a breach notification, OCR/HHS compliance action (ouch!), potential fines, and litigation. That won’t be fun, and it will be a lot more expensive than encryption.
We help a lot of healthcare providers meet the HIPAA security requirement. If you are storing ePHI in SQL Server, MongoDB, MySQL or in a VMware architecture or cloud platform, we have an affordable, easy solution for you. More information on our website:
https://townsendsecurity.com
If you are a Managed Service Provider (MSP) helping healthcare providers meet HIPAA compliance, we have a partner program for you that you are going to love. There is no entity so small that you can’t help them get secure. You can find out more here:
https://info.townsendsecurity.com/msp
Patrick