News outlets are reporting that ransomware has hit at least 6 countries today, Tuesday June 27, 2017. One of the countries hit is the Ukraine where the coordinated attack hit key parts of Ukraine’s infrastructure – government agencies and electric grids to stores and banks.
According to NPR, the Department of Homeland Security’s Scott McConnell says the agency is “monitoring reports of cyber attacks affecting multiple global entities and is coordinating with our international and domestic cyber partners.”
AP is reporting that the attack was confirmed to have spread beyond Europe when U.S. drugmaker Merck, based in New Jersey, said its systems had also been compromised.
Computers that are hit by the malware display a locked screen that demands a $300 bitcoin payment to retrieve files.
It is being reported that the malware was delivered in emails that had been created to resemble business correspondence.
This attack presents another opportunity to your educate staff. All staff should be aware of the following:
- Do not click on links or attachments in emails that come from unknown senders/sources.
- Be suspicious of any link even when sent from someone you know. Their machine could be infected without their knowledge.
- When in doubt about a link, delete the email.
- Stay away from questionable websites. Do not download materials from unknown websites.
- Be aware of unusual behavior on computers; act quickly if you think the computer has become infected.
- Immediately notify the IT department when any computer acts unusual.
As a reminder the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has developed a checklist and a corresponding Infographic that explains the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident.
In summary, healthcare organizations should take the following steps in the event of a cyber attack or similar emergency:
- Execute response and mitigation procedures and contingency plans:
- Immediately fix any technical or other problems to stop the incident.
- Take steps to mitigate any impermissible disclosure of protected health information which may be done by the entity’s own information technology staff, or by an outside entity brought in to help (which would be a business associate, if it has access to protected health information for that purpose).
- Report the crime to other law enforcement agencies:
- Include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service.
- These reports should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule.
- Note: If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing, or for 30 days, if the request is made orally.
- Report all cyber threat indicators to the appropriate federal and information-sharing and analysis organizations (ISAOs):
- Including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
- Such reports should not include protected health information.
- Report the breach to the Office of Civil Rights (OCR) as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals:
- Affected individuals and the media must also be notified unless a law enforcement official has requested a delay in the reporting.
- OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach.
- An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify:
- Individuals without unreasonable delay, but no later than 60 days after discovery
- OCR within 60 days after the end of the calendar year in which the breach was discovered.
Regulatory Compliance Solutions for Healthcare Organizations
Our comprehensive compliance suite includes:
Learn more. Visit mcnhealthcare.com