This timely and informative program is designed to introduce human resources practitioners to the concepts associated with ransomware, and, in particular, HIPAA-centric defenses to attacks and to the proliferation of toxic malware throughout an organization’s network. The defensive and preparatory tactics outlined in this program can be utilized to respond to an organization’s ransomware threats, representing a combination of the best practices and legal requirements indicated under the law of HIPAA. The internet and various news outlets are recently afire with reports of viscous malware attacks across the globe. Malware, or malicious software, is a term of art used to identify a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, spyware, adware, scareware, ransomware, and other malicious programs. Malware is generally designed to gain access or to damage a computer without the knowledge of the owner, so that the intrusive application can gain as much data as possible prior to discovery. However, one particular bend of malware works differently. In the case of ransomware, the infiltrator specifically designs the application to notify the recipient of the infection upon occurrence. Once the application has embedded itself within the owner’s system and operational files, the ransomware application will lock certain files and operations in the owner’s hard drive. Thereafter, the owner is delivered a cryptic digital message demanding the payment of a hefty “ransom” within a specified and short period of time in exchange for the decryption key/code, else all infected files will be lost forever. Generally, if the owner fails to pay the demanded ransom, the infiltrator will either leave the files locked, or in some cases, will program the ransomware to infect and lockdown the owner’s entire hard drive. Worse yet, in some instances, ransomware is designed to exfiltrate the user’s personal files, data, and other information stored on the device. In this way, the attack takes on a new dimension, as the potential for fraud and additional abuses arises exponentially with the physical removal of the data from the user’s hard drive. Infiltration and exfiltration of a user’s hard drive generally also implicate HIPAA’s Privacy and Security Rules as improper disclosures of protected health information (PHI) and electronic protected health information (e-PHI).
Analyzing the ransomware crisis by the numbers, CNN Money recently reported that over $209 million was paid to security criminals in the first quarter of 2016. Through its ransomware tracking, Osterman Research announced that nearly 50% of all companies had already been hit with a ransomware attack by 2017. Between 2015 and 2016, Symantic reports that daily infections increased from 933 to 1271, a total increase of nearly 27% in a single year, with an average demand of $1,077 in 2017 per incident or attack (up from $294 in 2016 – a 72% increase). Although the industry and law enforcement responses to ransomware have been quite remarkable, the proliferation of new malware strains is outpacing the ability of technicians to write critical defensive codes. In fact, just since December of 2015, Proof Point reports a 600% increase in growth of new ransomware families.
While no single defensive strategy will defeat the ransomware phenomenon, a HIPAA-centric defensive strategy provides an employer plan sponsor with the means to identify, segregate, and potentially exterminate a ransomware infiltration prior to the malware’s proliferation with a user’s network. In this way, while a single device may become corrupted, savvy device operators are able to reduce the potential for an attack to infect the user’s network. Thus, the victim organization’s net experience is the loss of a single device worth of data; a considerable improvement as to the alternative of an entirely debilitated user network. When paired with even the most minimal security procedures, the knowledge of a device operator to proactively identify the signs of an infiltration and to remove the infected device from the network can help to save an organization big bucks and substantial hardships.
Moderator: Tara Silver-Malyska, Senior Principal, Willis Towers Watson, Dallas, TX
- Nicholas P. Heesters, Jr., U.S. Dept. of Health and Human Services, Office for Civil Rights, Health Information Privacy & Security Specialist, Washington, DC
- Jason N. Sheffield, Senior Compliance Specialist and Managing Attorney, Willis Towers Watson, La Jolla, CA
- David M. Weiner, Senior Compliance Specialist, Willis Towers Watson, Chicago, IL
Continue by clicking on the following link: