OCR: Take Action to Avoid Becoming a Cyber Extortion Victim – HealthInfoSec
Agency Offers List of Steps to Take to Mitigate the Risk
Federal regulators are warning healthcare entities and business associates to take action to prevent becoming the next victim of cyber extortion, such as a ransomware attack. “Incidents of cyber extortion have risen steadily over the past couple of years and, by many estimates, will continue to be a major source of disruption for many organizations,” says the Department of Health and Human Services’ Office for Civil Rights in a Tuesday cyber alert to HIPAA covered entities and business associates.
Among the steps that OCR says organizations should consider taking to reduce the chances of being a victim of cyber extortion are: Implementing a robust risk analysis and risk management program; ………
Keith Fricke, partner and principal consultant at tw-Security, says organizations can reduce the chances of being a cyberattack target by keeping up on security patches, maintaining layered security defenses and vigilantly educating users about phishing and social engineering. But the threats continue to evolve.
“Organizations that are targets of intent still benefit from doing all these same things; unfortunately, criminals are relentless in gaining unauthorized access to organizations they are intent on breaching,” he says.
Fricke also suggests that organizations get familiar with law enforcement agencies prior to an attack. “For extortion involving the threat by criminals to post stolen data to public forums unless money is paid, organizations should have a good working relationship with local law enforcement, including the FBI,” he says. “One way to do that is by participating in their local InfraGard chapter, which is a federally based organization bringing together the FBI with members of public and private section that are part of the national infrastructure.” He also suggests healthcare organizations also should review their cyber insurance policies, checking for the extent to which it covers extortion. Fricke warns that all healthcare entities need to realize they are potential targets for cyberattack. “Many smaller to mid-size organizations likely feel that they will not be the victim of an extortion attack in cases where information is stolen and demands made to pay money to prevent release of that information,” he notes.
“The mindset is likely one of ‘we are too small’ and criminals go after the larger organizations,” he says. “But criminals may pursue smaller organizations, assuming they are less secure than larger ones. Some pay the ransom … because they are not prepared to recover from data backups.”