HIPAA Risk Analysis Tip – #WannaStopCrying

Unless you’ve just returned from a 10-day interplanetary space mission, you’ve heard about the weaponization of ransomware into a Weapon of Mass Effect (WME) starting last Friday, May 12th. Organizations worldwide are in chaos trying to protect their systems while remaining operational. It seems that a group called the Shadow Brokers stole and released a suite of Equation Group attack tools purportedly designed by an in-house hacking team for NSA.  In these tools was a malware called DoublePulsar designed to exploit older versions of Windows. The Shadow Brokers are believed to be tied to the North Korean government.

While Microsoft prioritized the development of patches for vulnerabilities targeted by DoublePulsar (perhaps having been tipped off by NSA), many organizations apparently did not install them leaving machines still running Windows XP, Windows Vista, or Windows Server 2003 susceptible to an attack.  Now those organizations are scrambling to find and implement those patches.

What follows are short game and long game prescriptions.  Yes, we need to ultimately establish, implement and mature an information risk management program.  AND, yes, we must deal with the day-to-day discovery of new threats and vulnerabilities.

Short Game Plan for #WannaStopCrying:

  1. Don’t Block the Domain: By registering the malware’s unregistered domain name, a British security researcher unknowingly led all new infections of the ransomware to kill themselves. So at this point, Britain’s National Cyber Security Center (NCSC) recommends not to block that domain as it is to be used to resolve at the point of compromise.
  2. Patch Systems – Install MS17-010 issued by Microsoft in March; install Microsoft’s “one-off security fixes for operating systems no longer supported: Windows XP, Windows Server 2003 and Windows8 and/or other guidance issued by Microsoft.
  3. Until the security patch is applied, disable the Server Message Block v1 (SMB) on all computers.
  4. Upgrade all computers to Windows 10 along with the Windows Defender Antivirus which can detect this malware.
  5. Maintain daily or more frequent offline / offiste backups of critical data, including application, databases, mail systems and users files. Test backups regularly for data restoration.
  6. Keep informed by accessing:
    1. NIST Computer Security Resource Center – encouraging the sharing of information security tools and practices
    2. FBI Cyber Security Terrorism – addressing evolving threats
  7. Ensure antivirus signatures are up to date as vendors are working to deliver updated signatures to detect/prevent a reoccurence.
  8. Retrain employees and other workforce members on social engineering, phishing and spoofing methods and ramifications. Test the results frequently.
  9. Check on this process with your Business Associates. Require attestations of the steps they have undertaken to protect your information.

But then what? what’s next #WannaSpy? #WannaDie? #WannaLie?  How and when will you be ready?

In addition to the short game, organizations also need a long game as well to get out ahead of the next exposed asset, threat source, threat event, vulnerability and control deficiency.   

Long Game Plan for Information / Cyber Risk Management:

  1. Download and read the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.
  2. Download and read NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments.
  3. View a recorded demo of our award-winning IRM|Analysis™ software for conducting NIST-based, OCR-quality risk analysis and risk management.
  4. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
  5. Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.
  6. Download and read our white paper “Harnessing the Power of the NIST Cybersecurity Framework | Your Practical Guide to Effective Information Risk Management”.
Series Navigation<< HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez<< HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez<< HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.