Health Data Breach Tally: Ransomware Proliferates
Here’s An Update on Additions to the ‘Wall of Shame’
… Keith Fricke, principal consultant at tw-Security, predicts that ransomware attacks impacting healthcare sector entities will continue to surge.
“We’ve seen the emergence of ‘ransomware as a service’ in the past few years. This is a service that criminals offer to others that want to get into the “ransomware business” but may not have the resources or technical skills to conduct ransomware campaigns,” he notes. “With RaaS, more criminals can engage in ransomware activities in exchange for paying a percentage of the ransom payments collected.”
Ransomware and phishing attacks added to the HHS tally are evidence of an “an alarming trend,” says Susan Lucci, senior privacy and security consultant at tw-Security.
“It becomes evident that this is a successful and profitable avenue for the bad guys,” she says. “The way that ransomware attacks continue to develop new, believable messaging is outpacing healthcare’s ability, in some instances, to keep the workforce educated and alerted to these evolving threats.
Healthcare organizations should provide all staff members with ransomware prevention updates at least once a month, she suggests. “The best lessons can be learned from real examples, so that people don’t fall for a similar phishing attack,” she adds.
Covered entities can take several steps to reduce the risks posed by BAs, Lucci says.
“Assign responsibility for BA management to someone with privacy and security expertise. Review and ensure BA agreements are current is the first step. All too often, contracts are renewed but BA agreements are not,” she says.
Also important is creating a current list of all BAs and keeping in communication with key contacts throughout the life of the relationship, she adds.
“BA breaches can be reduced by establishing a program to obtain tangible evidence for all BAs regarding their levels of compliance with federal and state regulations. It is not too late to develop and implement an approach that requires proof,” Lucci says.