Over the last several months there has been an onslaught of news about cyberattacks, most notably ransomware attacks involving many industries, including health care institutions both in the United States and abroad, most notably the "WannaCry" attack. Most recently, a new ransomware attack known as "Petya" made headlines. By all accounts, these attacks are predicted to get worse. These attacks are in addition to other cybersecurity issues involving identity theft and other types of hacking.
Data loss through cybercrime creates an ever-increasing risk, especially to the health care industry, which is becoming a targeted industry. As discussed below, education and prevention are keys to protecting sensitive health care data and quickly responding to a security incident. The federal government through the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) websites provide summaries of the HIPAA Privacy, Security and Breach Notification Rules. Understanding and complying with these various HIPAA requirements, including the requirements in the privacy rule that covered entities have a business associate agreement with its vendors that have access to personal health information (PHI), are the first steps to be taken to protect sensitive health care data. The security rule sets the standards to control the confidentiality and storage of electronic PHI, and access to electronic PHI.
The OCR continues to provide guidance on the issues of cybersecurity in the form of summary bulletins. In February 2017, it issued one titled "Reporting and Monitoring Cyberthreats." In May 2017, it issued a summary bulletin titled "Cybersecurity Incidents Will Happen ... Remember to Plan, Respond and Report." In that summary, the OCR listed the following incident headlines:
• "Leading Cause of Healthcare Data Breaches in April Was Hacking"
• "Healthcare Data Security Incidents Second Highest in 2016"
• "Ransomware Attack: Healthcare Vulnerable to Cyber"
Importantly, the summary bulletin provides a "refresher" on what is a security incident under the HIPAA Security Rule and when it is a breach under the HIPAA Breach Notification Rule. The OCR reminds covered entities and business associates that they need to have an incident response policy and different types of contingency plans to appropriately respond to a security incident. The OCR summary bulletin also provides a reminder that the HIPAA Breach Notification Rule requires covered entities to notify affected individuals, OCR, and in some cases, the media of a breach of unsecured PHI. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate. See https://www.hhs.gov/hipaa/for-professionals/breach-notification.
On June 9, the OCR issued its "Quick Response Cyberattack" checklist and corresponding infographic. Once again, this publication by the OCR and the recent U.S. government interagency technical guidance document, "How to Protect Your Networks From Ransomware," serve as reminders that cybersecurity concerns need to be addressed proactively before an incident occurs. As outlined by the OCR, a HIPAA-covered entity and business associate need to consider taking these steps in response to a cyberrelated security incident:
• Execute its response and mitigation procedures and contingency plans;
• Report the crime to law enforcement agencies;
• Report all cyberthreat indicators to federal and information-sharing and analysis organizations (ISAOs); and
• Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.
It bears repeating that while all of these steps may not necessarily apply to all situations, it is imperative that HIPAA-covered entities and business associates review their current incidence response plans (IRPs) and procedures and compare them to the OCR checklist. As noted in the OCR checklist, the OCR considers all mitigation efforts taken by the entity during any breach investigation. This is an important point to consider in the event of a settlement of a HIPAA violation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and ISAOs. As noted in the OCR graphic, even if there is not a breach, the entity must document and retain all information considered during the risk assessment of the cyberattack, including how it determined that no breach occurred.
As outlined by the OCR and other federal agencies, prevention and pre-breach planning are critical, including taking the following steps:
• Update systems and software with current patches: Ransomware spreads easily when it encounters unpatched or outdated software. In addition, keeping computer and antivirus software up to date adds another layer of defense that could help stop malware.
• Refresh, review, retrain: To protect your company from a ransomware attack, properly train employees on cybersecurity. Authorized users can expose a company the most when it comes to cybersecurity risks. This includes employees who are vulnerable to social engineering and phishing attacks. Thus, train employees to identify phishing attacks and perform proper authentication of third parties before providing them with data or access to the network.
• Data Access Controls: Grant users access to data and systems minimally necessary to do their jobs and closely monitor access controls to help contain the spread of initial infections.
• Implement data loss prevention (DLP) and intrusion detection systems: Quickly identify potential infections with intrusion detection systems which allow a company to rapidly isolate infected servers and/or endpoints (computers), and prevent the spread of initial infections. Using data loss prevention tools, companies can enforce protection policies and administrators can secure sensitive business data and prevent illegal access to data.
•Implement regular and offsite data backups: In the event of a ransomware attack, decryption keys are not always provided even when ransoms are paid. Backups stored on the same infected server are often encrypted along with the encrypted data. Thus, regular data backups that are continually tested to ensure they can be restored if needed are important to help a company recover its data, resume operations and avoid paying a ransom demand. It is equally important that backups be stored offsite.
• Implement, practice and update incident response and business continuity plans: Having a tested incident response plan will help an organization quickly respond to a security incident. While many organizations have information security procedures in place, it is important that those plans and procedures be reviewed to address a potential ransomware attack. Similarly, perhaps the biggest impact of a ransomware attack is the downtime an organization may face, even causing business functions to come to a halt. Thus, it is critically important that companies update their business continuity plans to specifically address ransomware.
• Quickly deploy incident response team and protect privilege: Quick incident response team deployment is essential when faced with a ransomware attack. This should include having legal, forensic and public relations consultants, as well as law enforcement contacts identified before a security incident occurs. Top level awareness is equally important as crisis management decisions will need to be made quickly, such as whether the ransom demand will be paid and, if so, who should negotiate the ransom payment, how and when to notify law enforcement, as well as any internal or external communication deemed necessary. As these decisions may greatly impact a company's business, financial and legal obligations, it is critically important that in-house or outside legal counsel be involved from the outset to advise and guide the organization, including in the retention of outside consultants. This is the best measure to help protect attorney-client privilege as company executives are forced to navigate quickly through important decisions for the organization.
Implementing these steps cannot be overemphasized in order to minimize the impact of a security incident. By way of illustration, a West Virginia hospital was recently targeted by the Petya attack. In that case, the hospital was forced to replace its entire computer network after the ransomware froze the system's electronic medical records, jeopardizing healthcare providers' abilities to review patient documents and transmit laboratory and pharmacy requests. In that case, the hospital officials could not restore the services and could not find a way to pay the ransom for the return of their network. After consulting with the FBI, that institution ended up replacing their system.
In short, being proactive is often easier and less costly than a reactive approach. Cyberrisks present a fast evolving landscape. Prevention is key to mitigation in this area and a better option than facing a breach unprepared. An entity that knows those risks and controls the data that flows within and outside its walls can best remain competitive in its marketplace.
Cinthia Granados Motley is the co-chair of Sedgwick LLP's cybersecurity and privacy practice group. She has an active practice handling data privacy, security and liability matters, both domestically and internationally, as well as information governance, e-discovery, international contract disputes, directors and officers liability and employment defense. Carol Gerner is a member of the firm's cybersecurity and privacy practice group. Her practice also includes advising clients in a wide range of industries on compliance issues under federal and state privacy, data protection and cybersecurity laws and regulations, and assisting clients in incident preparedness and breach response. Contact them at SedgwickResponder@sedgwicklaw.com.