Breach Planning in the Age of Ransomware

Here’s the scenario. Your practice contracts with a firm to back up your data offsite after the practice closes each day. The new data overwrites what was saved the day before (i.e., no version is kept other than the current one).

On Monday, by clicking on a link in an email, an employee unknowingly triggers a ransomware attack. The attack encrypts data on your system, but no one in the company realizes the attack has taken place until after the workday ends and the data has been backed up.ransomware

On Tuesday, you receive an email from the attacker explaining what has happened and asking for a large amount of money to unencrypt your data. You immediately contact the company that does your backups, only to learn that the encrypted data was backed up the night before – there is no unencrypted copy on your systems or theirs.

By Wednesday, the local press has gotten wind of the incident, and you are in full panic mode trying to decide whether to pay the ransom to get your data back while explaining to the press that your patients’ files have not been stolen, only encrypted.

 

You need a plan

There are two important lessons to take away from this story. First, have a written plan that describes exactly what to do in the case of a data breach or other type of attack. Second, with ransomware attacks like the one at Hollywood Presbyterian Medical Center on the rise, it’s time to re-evaluate your backup routine.

Medical practices – no matter what size – are required by HITECH to have a written breach response plan. These days, it’s clear your plan should include the possibility of a ransomware attack.

There are several good sources of information on formulating your plan, including the “Computer Security Incident Handling Guide” from NIST. Here are several must-haves:

  1. An incident policy overview, including a list of your breach response team. Note that in a small practice, that team may comprise of only the practice owner, the head administrator and the compliance officer. If you outsource any of your IT support, include the firm on your list. You can also include resources you’ve set up in advance to help you in the event of a breach (e.g., an attorney, a PR firm).
  2. Procedures for performing incident handling and reporting. This includes details of who will do what following a breach and who is ultimately in charge. Note that although technical folks will work to discover the cause and extent of the breach, a non-technical person may head up the overall team. Also remember that notification of patients, covered entities and business associates is an major part of post-breach activities and that notification for a large breach may differ from notification for a small breach.
  3. A plan to train the team. Your incident response team should receive training on the overall response plan, their role in it and any instructions/guidelines they need to perform their role successfully.

Of course, you want to do everything you can to avoid a breach. Here are some key mitigation strategies:

  • Encrypt all data everywhere (a practice recently had unencrypted data stolen from a safe).
  • Check to be sure the person or company in charge of your data security is installing all security patches, has secured your website and is monitoring for breaches.
  • Check on the security status of your business associates – ask for details.
  • If your backup provider doesn’t keep past versions of data, upgrade your service so that it does (to prevent the ransomware scenario above).
  • Work to prevent ransomware attacks by installing the paid version of Cryptoprevent (which updates itself as new type of ransomware attacks are invented).
  • Conduct employee training on how easy it is to spoof an email account. Explain why they should not click on any links unless they are positive of the sender.

Finally, take the time to test your incident response plan. Bring everyone into a room, tell them a (mock) breach or attack has occurred, and have everyone respond as though the scenario is real.

Ransomware attacks can occur at providers of any size – even yours.