HIPAA Security Compliance 101 - Lesson 4
HIPAA and the WannaCry Virus
If you’ve been following the news lately, no doubt you’ve heard or read about the recent cyber attack called WannaCry. WannaCry is a particular nasty type of malware known as “ransomware” which infects your computer and blocks access to your data until you pay an extortion fee. According to the latest reports, the attack was first discovered on May 12 and spread to over 150 countries, including the United States. Over 48 medical facilities in the U.K. were infected by the virus.
HHS has published a fact sheet specifically about ransomware that can be found at: www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
Note that it could be considered a breach if ransomware is able to access and encrypt ePHI. We highly recommend reading this document and evaluating your related security policies. However, here are a few simple steps you can do to greatly reduce your vulnerability to a ransomware attack:
Install the Latest Patches and Software Updates
Microsoft released a patch for the WannaCry vulnerability in March 2017, so make sure your PC has the latest updates and patches to Windows and Office. A best practice is to setup your PC to install these automatically after they become available. This advice also applies to users of non-Microsoft devices. Also, avoid storing important data on old systems for which patches and software updates are no longer available.
The U.K. medical facilities that were infected were running very old Microsoft software for which updates were no longer available. Also, don’t overlook your medical devices, many of which now have computers embedded in them.
Be Aware of “Phishing” Attacks
A very common way that malware like this gets installed on your PC is by tricking you to click on a link in an email or opening an email attachment. This is generally known as “phishing.” Make sure you PC has virus protection that includes checking incoming email. Confirm the legitimacy of emails before clicking on links or opening attachments. Whenever you do click on a link that appears legitimate, verify that the URL in your web browser is correct. Be sure to share this information with your staff.
Back Up your Data
As much as possible, store your data on servers that are backed up and maintained by your IT department. If that’s the case, you could lose access to your workstation and probably suffer only a minor inconvenience of having to re-image or replace your workstation. If you do have important data on your workstation, make sure it is backed up. There are many backup tools and services that can be configured to run automatically.
Although not foolproof, taking these simple steps will greatly reduce the likelihood of being infected by ransomware or other malware.
Finally, all of the above should be documented as part of your overall HIPAA compliance program, which will be very important should your facility ever be audited for HIPAA compliance.