Robinson+Cole Partner and Brown University Executive Master Faculty Member Lynn Freedman recently posted about the growing threat of cyber extortion attacks on the healthcare industry on Robinson+Cole’s excellent Data Privacy+Security Insider publication. Read her post below to learn more about the Office of Civil Rights’ warnings about the increase of these attacks and their checklist to help HIPAA covered entities to protect themselves.
In its January newsletter, the Office for Civil Rights (OCR), a sub-agency of the U.S. Department of Education, focused on cyber extortion, stating that it had “…risen steadily over the past couple of years and continues to be a major source of disruption for many organizations.” As the healthcare industry has been the target of cyber extortion attacks, the OCR published a checklist to help HIPAA covered entities and business associates respond to a cyber-attack.
The OCR commented in the newsletter that cybercriminals continue to create new versions of malicious software and attacks, so covered entities and business associates must be vigilant in order to recognize and mitigate the risk of an attacker accessing and stealing sensitive information. It provides “[E]xamples of activities organization should consider reducing the change of being a victim of cyber extortion:
- Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
- Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
- Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
- Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
- Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
- Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
- Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
- Encrypting and backing up sensitive data;
- Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
- Remaining vigilant for new and emerging cyber threats and vulnerabilities (for example, by receiving US-CERT alerts and participating in information sharing organizations.”
You can read this article at Robinson+Cole’s Data Privacy+Security Insider