Tuesday 8 November 2016

HIPAA Compliance - What your Pharmaceutical Business needs to know about Ransomware.

In my last blog, I discussed cyber security, in relation to GxP. This week I wanted to focus on one particular security threat that is very prevalent at the moment, and is growing at an alarming rate: namely "ransomware".

This particular type of cyber crime impacts heavily on both GxP and HIPAA compliance and as such it is vital that the Board of pharmaceuticals companies understand what the threat is, how at risk they are, how to mitigate the risk of being attacked, and what their plan would be to handle the situation were they to be the unfortunate victim of such an attack.

Ransomware is a form of malicious software (malware), which effectively hijacks your data by encrypting it and demanding payment of a ransom in return for the security key needed to decrypt it.

Email attachments and links in emails are the most common ways for Ransomware to enter an organisation, but it can also enter via business applications, websites, USB sticks or social media.

According to research by Osterman Research Inc carried out in June 2016, 54% of organisations in the United Kingdom had experienced ransomware attacks during the previous 12 months.

The sector most attacked was healthcare, which comes as no surprise as being so dependent on access to their critical information makes them prime targets for ransomware producing cyber criminals, particularly in settings like hospitals, where potential loss of life will justify the payment of a high ransom.

The same research shows that many ransomware infections are widespread. Only a tiny proportion of UK based organisations reported that ransomware infections spread to fewer than 1% of endpoints, but about one half reported more widespread infections. More seriously, one in 10 UK based organisations reported that their most serious ransomware infection had reached every endpoint on their network.

The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It also requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach of the HIPAA Privacy Rule has occurred because the ePHI encrypted by the ransomware was acquired (i.e. Unauthorised individuals have taken possession or control of the information), and that is a disclosure not permitted under the HIPAA Privacy Rule.

Recent guidance from the HHS Office for Civil Rights has made it clear that a ransomware attack usually results in a breach of healthcare information under the HIPAA Breach Notification Rule. Unless the covered entity or business associate can demonstrate that there is a "… low probability that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, the entity must then comply with the applicable Breach Notification provisions, including notification to affected individuals without unreasonable delay, to HHS, and, in certain cases, to the media.

Naturally, this is a highly undesirable position for any pharmaceuticals company to find itself in, so what should the Board be doing in relation to the threats that ransomware presents to their HIPAA (and indeed GxP) compliance?

Well, at the moment myself and my company are engaged with our pharmaceutical clients to carry out the following types of work:-

• Reviewing pharmaceuticals current systems to identify risks and vulnerabilities to their electronic protected health information (ePHI).

• Working closely with the Board to come up with a risk mitigation plan to address any vulnerabilities identified, and then implementing the plan.

• Implementing a suite of technical measures, involving hardware, software, cloud technologies and security policies, to protect ePHI information from cyber threats including ransomware.

• Training and educating users (bearing in mind new threats are emerging daily and security vendors are constantly playing catch up, the staff will actually be the last line of defence against an attack and need to be educated accordingly).

• Devising, implementing and testing contingency plans including disaster recovery plans, frequent data backups, security incident responses and emergency operating procedures.

Over coming blogs, I will be exploring in more depth some of the key issues around IT compliance in relation to both HIPAA and GxP.  If in the meantime you need any assistance with assessing your risks around ransomware in relation to HIPAA or GxP, or with implementing or updating your policies, plans and technologies in light of new cyber security threats, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk.

No comments:

Post a Comment