Healthcare providers continue to rely on interconnected information technology systems and digital care delivery to improve healthcare outcomes. In response, ransomware attached are increasing, both in number and in sophistication. The attacks threaten the clinical and clerical operations of healthcare enterprises of all sizes. JAMA published an alarming study to show that the number of ransomware attacks targeting healthcare organizations doubled in the last five years. These attached disrupted care and exposed the personal health information of nearly 42 million patients.
Ransomware attacks usually involve use of malicious software on vulnerable systems and technology through any number of vulnerabilities, such as email phishing links or disguised software updates. Once installed, the ransomware locks healthcare organizations out of their own data, data systems, or targeted technology devices. The ransomware criminals then threaten to release, permanently encrypt, or delete patient data—in some cases, all three—unless the organization pays the ransom demand.
Even relatively minor ransomware attacks can have significant financial, regulatory, and clinical implications for even the most sophisticated healthcare operations. With the healthcare industry squarely in the sights of cybercriminals, healthcare organizations can no longer afford to assess their data security and disaster response policies and procedures after experiencing a breach. Ransomware attacks are unlikely to slow, so decisionmakers in healthcare organizations should proactively consider review and update of policies and procedures to minimize impact before a ransomware attack occurs.
Implications for Data and Information Security Policies and Procedures
Whether data is in the cloud or on-site, healthcare organization need robust data and information security policies and procedures to prevent and respond to ransomware attacks. These policies and procedures should address the number of ways in which employees, contractors, vendors, and patients interact with the organization’s technology as well as set clear boundaries around potential access points that could allow ransomware into the system. Critical elements include items such as:
- Processes for inventorying all software and other technology in use by an organization
- Centralized access controls
- Protocols for controlling and monitoring edits to documents and system files
- Rules to limit software installation and updates to authorized individuals
- User and password management
- Regular audits and breach detection measures
Healthcare organizations should also consider the compliance component of their data security practices. As they do with clinical activities, regulations establish important boundaries for implementing data security and corresponding policies and procedures. For years, HIPAA and similar state laws highlighted the important crossover between technical systems and legal compliance, but recent developments for electronic health information could leave many organizations’ policies and procedures out of compliance.
For example, the new Information Blocking Rules went fully into effect as of October 6, 2022. They require healthcare organizations to make electronic health information readily accessible to patients, which likely requires organizations to reconsider existing information security practices. Importantly, the Information Blocking Rules establish strict requirements for when and how healthcare organization may limit patient access to electronic health information for data security concerns. Further, the Information Blocking Rules created specific rules about handling system downtime if the downtime unduly interferes with patient access to electronic health information.
This means that healthcare organizations must strike a reasonable balance between data protection and data access. To do this, the organization should take advantage of enterprise-wide experience to assess data security protocols in light of the Information Blocking Rules. Healthcare organizations should also ensure that information systems personnel, organization leadership, and legal counsel (in-house and outside) work together so that technical protections implemented in updated policies and procedures account for ever-changing legal requirements.
Implications for Disaster Response Policies and Procedures
No matter how secure a system, breaches will eventually occur. Data integrity is a paramount concern, and healthcare organizations should also be mindful of the practical effects that a breach may have on operations. Healthcare services can impact life-or-death decisions that cannot wait for systems to be back online after a successful ransomware attack. In fact, a recent Sophos survey of healthcare IT professionals found that 44% of healthcare organizations took more than a year to fully recover data after suffering a ransomware attack. This means that disaster response policies and procedures should address both steps to resolve a ransomware breach and to maintain clinical and other functions despite limited access to data or other systems in the meantime.
Practically, healthcare organizations should consider the following when integrating ransomware threat responses into disaster response policies and procedures:
- Identifying impacted technology and systems
- Using robust data backup and recovery systems
- Seeking assistance from law enforcement and other ransomware response professionals
- Interacting with cybercriminals
Disclaimer: Content contained within this blog post provides information on general legal issues and is not intended to provide advice on any specific legal matter or factual situation. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel.