In its January newsletter, the Office for Civil Rights (OCR) focused on cyber extortion, which it stated has “risen steadily over the past couple of years and continue to be a major source of disruption for many organizations.” Since the health care industry has been the target of cyber extortion attacks, the OCR is specifically warning health care entities and has published a Checklist to help HIPAA covered entities and business associates respond to a cyber-attack.
The OCR commented in the newsletter that cyber criminals continue to create new versions of malicious software and attacks, so covered entities and business associates must be vigilant to recognize and mitigate the risk of an attacker accessing and stealing sensitive information. It provides “[E]xamples of activities organization should consider to reduce the change of being a victim of cyber extortion:
- Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
- Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
- Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
- Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
- Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
- Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
- Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
- Encrypting and backing up sensitive data;
- Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
- Remaining vigilant for new and emerging cyber threats and vulnerabilities (for example, by receiving US-CERT alerts and participating in information sharing organizations.”