A recent, May 1, 2019, study by the endpoint security firm Cylance determined that the health care industry was the biggest target for malware attacks with ransomware attacks tripling in  2018. Attacks on health care entities accounted for 34 percent of all malware attacks, with manufacturing attacks a distant second at 7 percent. Another survey, conducted by HIMSS Analytics, found that three-quarters of health care providers had experienced a health care ransomware or malware attack in the past 12 months. That survey also noted that 43 percent of large provider organizations reported at least 16 malware or ransomware attacks, with 63 percent of these large facilities reporting both malware and ransomware attacks during that year.

The most common malware infection ransom attacks are email phishing and drive-by downloads. A drive-by download consists of the unintentional download of malicious code to your computer.

Phishing attacks are often done by opening an email attachment or clicking on an attractive looking website. But a drive-by attack doesn’t require the user to click on anything, download anything, or open a malicious email attachment to become infected. In other words, it differs from most other cyberattacks in that it does not require the user to do anything.

The growing threat of ransomware is shown by the weekly HIPAA Journal stories:

• Urology Practice Pays $75,000 ransom to Regain Access to Computer Systems.
• Estes Park Ransomware Attack Highlights Risks of Paying Ransom.
• Shingle Springs Health and Welfare Center Ransomware Attack Impacts 75,000 patients.
• Ransomware Attack Impacts More Than 60 Assisted Living Facilities.

The Estes Park Health ransomware attack saw software in the clinic as the first to go offline, followed by its digital imaging software, which stores all X-rays and other medical images. The attack wiped out the network and the facility’s phone service. The facility’s cybersecurity insurer paid the undisclosed ransom, but the policy had a $10,000 deductible that the facility had to pay. For more information on how Estes Park recovered, see “Estes Park Recovering Quickly from Cyberattack,” EstesParkNEWS, June 2, 2019 at http://www.estesparknews.com/featured_articles/article_e8aa6468-8624-11e9-8c63-4f4591478118.html.

A urology practice recently learned that, even if the ransom ($75,000) is paid, the damage may still be considerable. First, no guarantee exists that the ransomer will unlock the encryption. Second, as the urology practice experienced, once it had paid the ransom and received the keys, it took more than three days to unlock its files after it had paid a second ransom to get keys to some of the files that had not been included when it had made the first payment.

Good backup is obviously the key to guard against ransomware. Estes Park also had a plan for how to respond to a ransomware attack. Be certain to consider the threat posed by ransomware in your initial and updated risk analyses and consider the adoption of a ransomware incident response plan. We plan to post a sample one on the Premium Member section of our website shortly.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6^th edition, with the accompanying HIPAA Documents Resources Center CD, also 6^th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts. And we trust that you were able to enjoy a great 4^th of July celebration and a long weekend.