August 9, 2017. The September 2017 issue of Consumer Reports has an article in the Ask Our Experts section entitled: “How do ransomware attacks work? And if one happens to me, should I pay?” Here is part of the excellent answer:
“The best offense truly is defense, when it comes to security. [Russell Vines, Consumer Reports’ director of information security] advises regularly backing up your files to the cloud or another drive. That way, if your computer does get ransomed, you can wipe the infected device’s hard drive and start over…. Also, always install security updates promptly and be alert to ‘phishing’ scams that come by email. According to the IBM X-Force research team, 40 percent of the spam emails they analyzed in 2016 contained ransomware. That’s up from an average of just 0.6 percent in 2015.”
HIPAA Integrity® recommends making redundant retrievable backups. Backups that maintain the integrity of protected health information are required under the HIPAA Security Rule Administrative Safeguard provision, and, if you use an external source such as the cloud or a secure database center, be sure to encrypted the PHI in motion (transmission).
Also, HIPAA Integrity® recommends that you verify the sender’s email address before opening an email or downloading an email attachment. Even with updated security updates or patches in place in a timely manner, a name of a person or entity known to you could have been compromised. The email spam statistic above shows how important that verification is to minimize as much as possible the incidence of ransomware attacks.
Consumer Reports provides online an article entitled: “How to Restore Backed-Up Data After a Ransomware Attack,” for various Microsoft Windows Operating System versions.
An online August 1, 2017, article by Judy Greenwood in Business Insurance reinforces the information above based on information from London-based insurer Beazley P.L.C. According to the article, “Beazley had reported in its year-end report that ransomware among its clients more than quadrupled in 2016 over 2015’s total,” and that “[r]ansomware attacks continued to grow in 2017… increasing by 50% the first half [year] over the comparable period a year ago. Hacking and malware attacks, which included ransomware, accounted for 32% of the 1,330 incidents Beazley Break Response Services reported in the first half [year].”
Additional information is available in “Beazley breach insights—July 2017,” which reports that “accidental breaches caused by employee error or data breached while controlled by third party suppliers continue to be a major problem, accounting for 30% of breaches overall, and 42% of healthcare incidents.” Beazley concludes:
“This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality. Since 2014, the number of accidental breaches reported to Beazley’s team has shown no sign of diminishing. As more stringent regulatory environments become the norm, this failure to act puts organizations at greater risk of regulatory sanctions and financial penalties.”
Organizations must up their game on safeguard training in order to stem the increase in phishing with adverse consequences. Visit the Office for Civil Rights (OCR) Resolution Agreements Website to see the regulatory consequences of failure to safeguard PHI from breach.