HIPAA Compliance & the Ability to Settle Ransomware

A recent HHS announcement clarified the regulators position on proper remediation & recovery following a ransomware attack.  For background, like most regulated industries, healthcare companies are required to have written procedures and operating practices for handling cyber security incidents, like ransomware.  Specifically, organizations subject to HIPAA are required to have:

“Security incident procedures, including procedures for responding to and reporting security incidents. An entity’s security incident procedures should prepare it to respond to various types of security incidents, including ransomware attacks. Robust security incident procedures for responding to a ransomware attack should include processes to [..] recover from the ransomware attack by restoring data lost during the attack and returning to ‘business as usual’ operations.”

This regulation refers to a general NIST framework (Special Publication 800-61) on creating a Computer Security Incident Handling Guide.  In Section 3.3.4 “Eradication and Recovery” the guide explains that:   

“In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security.”

What is clear from both NIST and HIPAA regulations, is that data loss from ransomware is not an option for healthcare organizations.

Having redundant backups provides the the first layer of recovery.  But what if encrypted files have not been properly backed up, or the backups have become encrypted as well? Regardless of the utility, to maintain compliance, healthcare organizations need to have a plan in place to restore access to any encrypted data files.  

The ability to procure and quickly settle a ransom is a core capability for HIPAA regulated entities to include in their security incident procedures.  Evidence of this has shown up in a recent Citrix survey that showed that up to 40% of UK healthcare firms are now holding Bitcoin in an attempt to prepare for future ransomware attacks.  While this certainly shows a measure of proactivity, it creates several additional management burdens on a number of internal departments that must now track and account for the asset.  Holding just Bitcoin also does not account for the recent shift away from Bitcoin to newer privacy coins such as Monero and Dash that are currently the preferred denomination of ransomware.  

Like backups, disaster-recovery-as-a-service (DRaaS) now includes ransomware settlement-as-a-service (RSaaS). Healthcare organizations can ensure compliance and be assured that downtime is minimized should ransomware impair their ability to return to business as usual, as HIPAA and NIST require.