Healthcare organizations must be prepared for the unexpected times when cyber criminals attack their data networks with the intention of extortion. It is expected that HIPAA-compliant entities are already somewhat prepared against cyber attacks because general cybersecurity practices are deemed necessary as per HIPAA rules. But as a reminder, OCR provided guidelines on important measures that healthcare organizations need to look at to mitigate cyber extortion risks.
1. Conduct risk analysis
The number one on the list of cybersecurity measures is the conduct of comprehensive, organization-wide risk analysis of all systems and devices used with ePHI. There must be a risk management program implemented after identifying all vulnerabilities. The purpose is to reduce cybersecurity risks to an acceptable level.
2. Keep software and operating systems up to date.
Cyber extortion attacks often exploit unplugged vulnerabilities. That’s why healthcare organizations need to update software and operating systems as soon as possible. New patches must be applied promptly. It’s important to identify all vulnerabilities for accurate and complete risk analyses.
3. Get information on threat intelligence
Healthcare organizations are encouraged to sign up with Information Sharing and Analysis Organization (ISAO) as a source of threat intelligence. Knowing fresh information can help organizations to block attacks.
4. Teach security awareness to healthcare employees
When employees respond to malicious emails, it gives ransomware a way to infect the healthcare organization’s networks and devices. Employees who do not have proper security awareness become a weakness to the organization’s security defenses.
5. Use technology to tighten security defenses
With the help of technology, it’s possible to block malicious emails. Anti-malware, anti-virus and other signature based anti-malware are not as effective as before. But they are still beneficial to the healthcare organization’s security defenses. Use firewalls and other perimeter and network defenses to further strengthen defenses. This reduces the chances of malicious emails to reach the employees email inbox.
6. Use encryption to protect sensitive data
When the organization’s sensitive data are encrypted, even when a network breach occurs, attackers are restricted from accessing PHI.
7. Conduct regular backups of data
Having backup data will play a critical role in data recovery should a ransomware attack occurs. Use the 3-2-1 approach when backing up data. Have three copies of data on two different media. Store the other copy securely off-site.