This course explains treacherous Ransomware threats attacking the Healthcare Industry and how to prevent, prepare for, respond to and recover from a Ransomware attack. It covers HIPAA Rules that apply to Ransomware, compliance with the HIPAA Rules and how to conduct a HIPAA Breach Risk Assessment to prove a Ransomware attack did not result in a Breach of Unsecured Protected Health Information (PHI) – a violation of the HIPAA Privacy Rule.
Ransomware and the Healthcare Industry
Healthcare will the biggest target for Ransomware attacks in 2017 according to the credit reporting firm Experian. The Healthcare Industry includes “Covered Entities” defined by Federal law as Healthcare Providers, Health Plans (Health Insurance providers), Health Care Clearinghouses and their Business Associates (BAs). A BA is a person or organization that performs services for a Covered Entity that involve PHI. Federal health privacy and security laws, generally referred to simply as “HIPAA” apply to Covered Entities and BAs.
Covered Entities and BAs of all types and sizes are prime Ransomware targets because disruption of healthcare operations, even for a brief period, can result in catastrophic harm to patients. Criminal hackers don’t need to be sophisticated technology to mount a Ransomware attack – they simply trick employees to open a “phishing” email or click on an Internet link. Ransomware is the easiest and safest way for cyber-criminals to extort money from the Healthcare Industry.
In 2016 the head of Federal HIPAA enforcement said in an official statement, “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware. The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals.”
What is Ransomware?
Ransomware is particularly vicious criminal software that infiltrates critical electronic health information systems and locks them up with encryption tools that deny access to PHI until the victimized organization pays ransom to regain access. It is so commonplace that criminals can buy Ransomware tools on the Internet – google “buy ransomware”.
The U. S. Department of Justice reports Ransomware is the fastest growing and most dangerous threat to the security of health information in the United States. More than 4,000 daily Ransomware attacks were reported in 2016 – a 300 % increase over 2015.
New strains of Ransomware are particularly dangerous. They not only lock up your information system – they steal Protected Health Information (PHI).
A Ransomware Attack is presumed by law to be a HIPAA Breach
On July 11, 2016 the U. S. Department of Health and Human Services (HHS) declared a Ransomware attack on a Covered Entity or BA that encrypts PHI is presumed to be a HIPAA Breach requiring notification of all affected individuals, HHS and, if it locked up PHI of 500 or more individuals, prominent media outlets. HHS presumes a Ransomware attack is a Breach because the encrypted EPHI “…was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
HIPAA Breach Risk Assessment Explained and Demonstrated
To prove a Ransomware attack is not a HIPAA violation, Covered Entities and BAs must demonstrate a low probability the PHI was compromised based on a very specific HIPAA Breach Risk Assessment. This course explains and demonstrates how to do a Breach Risk Assessment applying the factors required by the HIPAA Breach Notification Rule.
The objective of this course is for students to understand:
- Ransomware including new, more treacherous varieties used by cyber-criminals to attack the Healthcare Industry
- HIPAA Rules that apply to Ransomware attacks
- “Social Engineering” tricks criminals use to sneak Ransomware into Electronic Information Systems
- What to do if your organization suffers a Ransomware attack
- Best practices to:
- Respond and Recover from Ransomware Attacks
- How to do a HIPAA Breach Risk Assessment to determine if a Ransomware attack resulted in a HIPAA Breach – or not – if the assessment demonstrates a low probability of compromise to PHI
- What the HIPAA Breach Notification Rule requires when a Ransomware attack does result in a Breach of Unsecured PHI
- The interconnected roles and responsibilities of Covered Entities and BAs under the HIPAA Breach Notification Rule concerning Ransomware attacks
Session 1-10 AM – 12 PM
- Introduction – Course Agenda and Objectives
- What is Ransomware?
- Why is the Healthcare Industry a Prime Target?
- HIPAA Law and HIPAA Rules that apply to Ransomware Attacks
- Covered Entity – Business Associate Relationship, Responsibilities, Interdependent Liabilities
- What to Do if (when) your organization suffers a Ransomware Attack
- Preliminary Description – HIPAA Breach Risk Assessment
- Best Practices to Prevent a Ransomware Attack
Session 2-1 PM – 2:30 PM
- How to Prepare for a Ransomware Attack
- How to Respond to a Ransomware Attack
- To pay or not to pay?
- Law Enforcement
- How to Recover from a Ransomware Attack
- How to do a HIPAA Breach Risk Assessment - Demonstration
Session 3-2:45 PM – 4 PM
- How to do a HIPAA Breach Risk Assessment - Continued
- What to do if the Ransomware Attack caused a HIPAA Breach
- Step-by-Step Breach Notification Requirements
- Notifications – Fewer than 500 Individuals affected
- Notifications – More than 500 Individuals affected
- Questions, Answers, Discussion
- Health Care Providers – Hospitals, Multi-Specialty Medical Groups, Nursing Homes, Long Term Care – Assisted Living Facilities, Physicians (M.D.s and D.O.s),Dentists, Optometrists, Chiropractors, Physical Therapists, Podiatrists
- Health Plans including Employer Sponsored Health Plans
- Third Party Administrators – Insurance Brokers
- Healthcare Practice Administrator Companies
- Healthcare Record Storage and Retrieval Companies
- All Business Associates of Health Care Providers and Health Plans