OCR Ransomware Guidance

OCR Updates Ransomware Guidance

On June 9, 2021, the Office of Civil Rights (OCR) sent an update to persons on its Privacy List, providing links to alerts and resources for dealing with the increasing number and size of ransomware events. One such resource was a White House memo from Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, dated June 2, 2021, and titled “What We Urge You To Do To Protect Against The Threat of Ransomware” (the White House Memo). The following are recommended best practices, according to the White House Memo, to considerably lower the probability of a successful cyber-attack:

Back up your data, system images, and configurations, test them regularly and keep the backups off-line at all times: Many ransomware variants attempt to locate and encrypt or delete accessible backups. Make sure that backups are tested regularly and that they are not connected to the corporate network, since many ransomware variants attempt to locate and encrypt or delete accessible backups. Maintaining current backups offsite is crucial because, if your network data is encrypted by ransomware, your organization will be able to restore systems if the backups are current.

System updates and patches should be applied as soon as possible: This includes keeping operating systems, applications, and firmware up to current and secure in a timely way. Consider implementing a centralized patch management system, and use a risk-based assessment technique to guide your patch management program’s implementation and administration.

Test your event response plan by doing the following: Nothing reveals the flaws in a plan more clearly than putting it through its paces. Run through a few fundamental questions and utilize the answers to help you develop an incident response plan: Are you able to keep your firm running even if you don’t have access to specific systems? How long do you want to keep it? You might consider shutting down your manufacturing operations if your business systems, such as billing, were down.

Examine the work of your security team: Hire a third-party pen tester to examine the security of your systems and your capacity to defend against a sophisticated assault of any kind. Many ransomware thieves are aggressive and intelligent, and they will look for the equivalent of unlocked doors to get their ransom.

Segment your networks: There has been a significant shift like ransomware attacks, which have shifted from stealing data to causing operational disruption. For your manufacturing/production operations to continue to operate if your corporate network is compromised, your corporate business functions and manufacturing/production operations must be kept separate. You should also carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure that ICS networks can be isolated and continue to operate. Test contingency procedures, such as manual controls, regularly, to ensure that safety-critical functions can be maintained in the event of a cyber disaster.

Additional resources were also supplied by the OCR notice, including a Fact Sheet on Ransomware and HIPAA (OCR Fact Sheet), which was created expressly for companies subject to HIPAA regulations. Such entities are reminded in the OCR Fact Sheet that “the Security Rule merely establishes a floor, or minimum requirements, for the security of electronically protected health information; entities are permitted (and encouraged) to implement additional and/or more stringent security measures above and beyond what they determine to be required by Security Rule standards.” The Office of Civil Rights (OCR) warns that companies must take steps such as, for example, updating the firmware of network devices, particularly when firmware upgrades are available to address known security vulnerabilities.

Additionally, according to the OCR Fact Sheet, because ransomware prevents access to data, “[m]aintaining frequent backups and guaranteeing the ability to retrieve data from backups is critical to recovering from a ransomware attack.” Additionally, entities should do test restorations regularly to ensure that their backup data is intact and that their data restoration skills are up to date. To avoid the removal or disruption of online backups by ransomware attackers, it is a sensible proposal that they keep backups offline and unreachable from their networks.

A security incident under the HIPAA Security Rule, according to the OCR Fact Sheet, occurs when ransomware (or any virus) is found on a covered entity’s or business associate’s computer systems, according to the document. See 45 CFR 164.308(a) for more information (6) The term “security incident” refers to an attempt or successful illegal access, use, disclosure, alteration or destruction of information, or interference with system operations in a computer network or networked information system. The covered entity or business associate must therefore activate its security incident and response processes as soon as the ransomware has been identified by security software. According to the Office of Civil Rights, such protocols must be what the entities “think is reasonable and appropriate to respond to malware and other security problems, including ransomware attacks,” according to the agency. Those looking for information on this should consult NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, which is available online.

Of course, not every security incident qualifies as a reportable breach; the Office of Civil Rights (OCR) stressed that this would rely on the facts and circumstances of the attack. Whenever ransomware is detected on a covered entity’s or business associate’s computer system, an investigation must be carried out to determine whether (1) the incident constitutes an impermissible disclosure of PHI in violation of the Privacy Rule, as defined by 45 CFR 160.103, and (2) a breach as defined by 45 CFR 164.402 must be carried out as soon as possible. An impermissible disclosure would occur, for example, if electronically protected health information (ePHI) is encrypted and held for ransom by the attacker because the ePHI was acquired and disclosed (i.e., unauthorized individuals have taken possession or control of the information), but the disclosure would not rise to the level of a breach if the covered entity or business associate can demonstrate that there is a “… low probability that the PHI has been compromised.” a covered entity or business associate must demonstrate that there is See 45 C.F.R. 164.402 for further information (2).

Entities are encouraged to consider other elements in deciding whether the chance of compromise of ePHI is minimal, in addition to the factors listed in the Act. OCR recommended taking into account factors such as whether there is a high danger of data being unavailable or whether there is a high chance of data being corrupted. These, the OCR cautioned, “may be indicative of a compromise.”

OCR provided instructions for doing a ransomware risk assessment, which coincidentally includes recommendations for establishing a low possibility of compromise. Specifically, OCR explained that correctly identifying the malware involved and understanding what it is programmed to do can assist an entity in determining what algorithmic steps the malware is programmed to perform, how or whether a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, and whether or not the malware may attempt to exfiltrate data or exploit vulnerabilities. An investigation of this nature may reveal that the virus was not intended to compromise ePHI and/or that there is a low possibility that the ePHI was compromised in any other way.

Furthermore, OCR addressed the question of whether a reportable breach occurs if the ePHI encrypted by the ransomware was already encrypted before the ransomware was executed. OCR stated that if ePHI is encrypted “in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable In contrast, OCR cautioned that even if the PHI has been encrypted, more analysis may still be required to determine that the encryption has rendered the affected information inaccessible, incomprehensible, and indecipherable to unauthorized individuals. According to NIST SP 800-111, this includes not only considering the encryption algorithm, but also additional areas such as encryption methodologies (for example, full disc, virtual disc or volume, folder or file), cryptographic key management, and pre-boot authentication, if applicable, in addition to the encryption algorithm.