Health and Human Services Issues New Guidance on Ransomware
The U.S. Department of Health and Human Services Office of Civil Rights, the government entity that manages the privacy of health care information that you share with doctors and others, has issued new guidance on ransomware.
While technically, it only applies to organizations that they regulate, in reality, almost everything they said applies equally to all businesses.
The U.S. Government says that, on average, there have been 4,000 daily ransomware attacks, a 300% INCREASE over last year.
They say that businesses should:
(a) Conduct a risk analysis to identify threats and vulnerabilities. In the case of HHS OCR, they are only worried about protecting health information, but in reality, every business should be conducting a risk analysis at least annually.
(b) Once you have conducted a risk analysis you need to create a plan to mitigate or remediate those risks and then execute that plan.
(c) Implement procedures to safeguard against malicious software (like ransomware).
(d) Train ALL users on detecting malicious software and what to do if they detect it or accidentally click on something.
(e) Limiting access to information to only those people with a need for it and, if possible, grant them read only access. Ransomware can’t encrypt files that it doesn’t have write access to.
At least one ransomware attack that I am familiar with became a full blown crisis because a user had write access to a whole bunch of network shares and they ALL got encrypted. Not a good day at that non-profit.
(f) Create and maintain and overall incident response plan that includes disaster recovery, business continuity, frequent backups and periodic full drill exercises.
There is a lot of language that ties the specifics of what they recommend to the HIPAA/HITECH regulations, which is important if you are a covered entity or business associate, but even if you have no HIPAA information, these recommendations are right on.
If you are not doing all of these things today, you should consider making it a priority. Ransomware is messy stuff, even if you have backups of everything. Assuming you have not implemented a full disaster recovery/business continuity solution (and if you have not you have a lot of company), recovering from your backups is a very time consuming and labor intensive process and in the mean time, you are working off of pencil and paper.
Information for this post came from the Health and Human Services web site.