TechAdvisory.org

Technology Advice for Small Businesses

How HIPAA wards off ransomware threats

Hospitals and healthcare organizations are usually the first victims of malware attacks. WannaCry ransomware — malicious software that encrypts files until the victim decides to pay the Bitcoin ransom — took advantage of this when it hit several healthcare institutions last month. With more malware expected to target the healthcare industry this year, following HIPAA regulations could save your organization.

For those who don’t know, WannaCry was first discovered in the UK. It affected over 20% of the UK’s National Health Service and created bottlenecks in hospital administration and treatment. Many healthcare institutions claimed that the privacy of patient data was not compromised, but the success of the attack shows how vulnerable these industries are to new, emerging threats.

Within 24 hours, the ransomware eventually spread and infected hundreds of thousands of machines in 150 countries. But despite WannaCry’s success rate with healthcare institutions in Europe, the malware was less effective in the US — thanks to companies that strictly followed these HIPAA guidelines:

Malware protection
Securing your endpoints with advanced antivirus software, firewalls, and intrusion prevention systems can help detect and block attacks targeting your patient data. In fact, most antivirus software has been able to prevent WannaCry since early April; with that in mind, you should keep your security systems patched and running full system scans on a weekly, if not, daily basis.

Up-to-date software
Just like your security products, your business applications, operating system, and other software should always be up to date. WannaCry was able to spread only due to vulnerabilities in outdated Windows operating systems (which were actually fixed back in March). Simply taking a few minutes to check for updates and install them will save you lots of financial and legal trouble in the future.

Incident response plans
Should a malware attack occur, HIPAA requires that companies have strategies in place to mitigate the damage. When dealing with highly sensitive patient data, encryption systems are a must. And in cases when ransomware strikes, companies should have cloud backup and disaster recovery plans to restore files in a clean computer to keep operations running.

Security tests and risk analyses
Once you’ve established a security framework and incident response policy, risk analysis and security tests are crucial last steps. Hiring IT staff to perform a risk analysis will help you identify and isolate system vulnerabilities to prevent cyberattacks. Also, security tests are important in finding out whether your defenses are capable of preventing different types of attacks from exploiting any weaknesses.

Employee awareness
Of course, none of this can substitute for good security training. Staff who understand security best-practices like setting strong passwords and critically double-checking download links can ensure your firm’s safety.

Experts anticipate that this attack will spur on copycats, so complying with these security tips and best practices (even if your company is not under HIPAA regulations) is key to survival. And if you need guidance with security or healthcare compliance, we’re the ones to talk with. Call us today if you need help keeping WannaCry and other malware at bay.