Earlier this month a massive ransomware attack spread throughout 150 countries, infecting 300,000 computers and crippling businesses across the globe. The ransomware, called “Wannacry,” infiltrated a variety of institutions, encrypting the user’s files and demanding payment of $300-$600 in bitcoin to unfreeze files. Hundreds of hospitals and health clinics in the British National Health Service were infiltrated by the WannaCry ransomware. As a result, the National Health Service was required to reroute patients and reschedule surgeries and appointments while its files were encrypted. As evidenced by the WannaCry attack and the increasing frequency of ransomware attacks, particularly ransomware attacks targeting hospitals, health care entities need to be vigilant regarding the secure storage of patient information, and proactive to ensure patient continuity of care in case of a ransomware attack.

What is Ransomware?

Ransomware is a type of malware that encrypts a user’s data, denying access, until the user provides the demanded ransom. Like most malware, a computer can be infected by the user clicking on a link or email attachment containing the virus. However, the WannaCry attack was far more dangerous as it utilized a “worm” program, which allowed it to spread once introduced into an organization by tracking down and infecting vulnerable computers.

WannaCry was designed to exploit a weakness in Windows programs. Although the vulnerability was addressed by Microsoft earlier this year through an update to the operating system, users of older Windows programs such as Windows XP and Windows Server 2003, no longer receive such support. It was initially thought that the majority of computers impacted by the WannaCry attack were running outdated software; however, post-attack analyses have shown that users of Windows 7 accounted for the majority of WannaCry infections. These computers would have had access to the security patch and had users timely updated their software, the magnitude of the attack could have been significantly reduced. This highlights a common problem as many organizations, including health care organizations, either continue to use outdated operating systems or fail to install updates to avoid the cost and inconvenience of updating specialized software programs to be compatible with every new software rollout.

Preventing Ransomware Attacks

Ransomware attacks present significant and potentially costly risks to entities covered by HIPAA, particularly because such attacks may constitute a HIPAA breach and trigger reporting requirements. Covered entities and business associates should work to prevent such attacks by ensuring their operating systems are up-to-date, conducting comprehensive risk analyses to identify potential vulnerabilities, and implementing a risk management plan to address and resolve such vulnerabilities. In fact, HIPAA-compliant entities should have a head-start on preventing ransomware attacks as they should already have this protective infrastructure in place. For more information about how HIPAA compliance can be a safeguard against ransomware attacks, see our previous blog post: HIPAA Compliance is a Health Care Entity’s Secret Weapon in Preventing and Combating Ransomware Attacks.

For more information and guidance from HHS, see:

FACT SHEET: Ransomware and HIPAA (HHS)

OCR Cyber Awareness Newsletter

OCR Cyber Awareness Monthly Update