The year 2016 has been quite successful for Bitcoin ransomware developers so far. After crippling two major hospital systems in quick succession, it was a matter of time until new guidelines would be established. The Healthcare Insurance Portability and Accountability Act was created to address these malware threats.
The vast majority of healthcare organizations is clueless when it comes to understanding and preventing ransomware attacks. This new guideline by the US Health and Human Service Office of Civil Rights should provide additional information on how this malware works. More importantly, it will also help institutions understand how they can spot a threat, and ensure no [significant] damage is done.
Tackling Ransomware Requires More Than Technology
Preventing ransomware attacks from happening should be the top priority for every healthcare institution right now. Unfortunately, their limited budgets and less-than-stellar IT staff make that task a lot harder than need be. Providing guidelines is a good way to tackle this situation, albeit it may not yield the desired effect in the long run.
Training hospital staffers to spot a malware threat sounds great on paper, but it’s hard to achieve in real life. Most of the people working at a hospital are already overworked, and the last thing they need is more things on their plate. Limiting user access to account records is another option worth exploring, but it might create friction. If not everyone can access the document correctly, waiting for someone to come by with file access will only slow operations down.
One of the only ways to properly deal with a ransomware attack is by making regular system backups. The HIPAA guidelines touch upon this subject as well, as regular data backups are advised. Developing new security incident procedures, as well as reporting processes, are direly needed.
“Implementing a data backup plan is a Security Rule requirement for HIPAA covered entities and business associates as part of maintaining an overall contingency plan. Additional activities that must be included as part of an entity’s contingency plan include: disaster recovery planning, emergency operations planning, analyzing the criticality of applications and data to ensure all necessary applications and data are accounted for, and periodic testing of contingency plans to ensure organizational readiness to execute such plans and provide confidence they will be effective.”
In the end, technology is not to blame for successful malware attacks. Every single incident stems forth from a human error at some point, allowing malware to be installed on a host computer. It is also doubtful guidelines will do much unless they are actively enforced upon all employees. Ransomware takes advantage of vulnerable people, and no directives in the world will be able to solve that problem.