By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid.  Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts

On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017).  Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them.   During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI

Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released new guidance on reporting and monitoring cyber threats.  The guidance urges covered entities and business associates to report suspicious activity, including cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT). US-CERT is an organization within the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. It is operational 24 hours a day, and accepts, triages, and collaboratively responds to incidents. Continue Reading OCR Releases Guidance on Reporting and Monitoring Cyber Threats

On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes.  Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.”   Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA.  A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach.  As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware

In a chain of events that should be a wake-up call to any entity using and storing critical health information, Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a malware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.

Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired, questioned that assertion.

The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system. Continue Reading Hollywood Presbyterian Concedes to Hacker’s Demands in Ransomware Attack