Healthcare organizations in the US fall under the scope of the “Health Information Technology for Economic and Clinical Health (HITECH) Act” which enforces the requirement of reporting data breaches to the authorities, as well as take certain measures when such incidents occur. Each incident that has the potential to affect more than 500 persons must be reported and, as a result, tens of events are reported in the US every month.
Other industries have similar regulations (the financial sector, telecommunications, merchants, government institution, education, etc.) that require data breach notifications to be issued, all with the purpose of protecting the affected persons from identity theft, credit card fraud, etc.
The types of data breaches that need to be reported are categorized depending on their cause: payment card fraud, Hacking or malware, insider, physical loss, portable/stationary device, unintentional disclosure and unknown.
The data breaches to be reported refer to those incidents where data has been put at risk of unauthorized access /dissemination. Since Ransomware destroys data or prevents access to it, incidents involving it are not regarded as data breaches (but as a business continuity incidents) although there is no guarantee that the information encrypted by Ransomware is not uploaded to hackers’ computers as well.
Where Ransomware is nowadays
Lately, the Ransomware has become stronger, more sophisticated and more dangerous, as pointed out by the latest report on the matter, by Symantec.
Some key findings of the “Special Report: Ransomware and Businesses 2016”:
“While ransomware attacks to date have been largely indiscriminate, there is evidence that attackers have a growing interest in hitting businesses with targeted attacks.”
“A number of ransomware groups have begun using advanced attack techniques, displaying a level of expertise similar to that seen in many cyberespionage attacks.”
“The average ransom demand has more than doubled and is now $679, up from $294 at the end of 2015.”
These findings support the idea according to which Ransomware should be a leading concern for data security and compliance, and enterprise ransomware protection should be part of the corporate security strategies.
Latest efforts to include the Ransomware associated threats in current data breach reporting requirements
In July 2016, two members of the Congress, Ted W. Lieu and Will Hurd, have addressed a letter to the Deputy Director for Health Information Privacy Office for Civil Rights, in which they stress the importance to differentiate Ransomware from common malware and hacking activities. They recommend inclusion of specific requirements to mitigate the associated risks and provide guidelines on how to handle the Ransomware infection cases.
In September 2016, the FBI has issued a Public Service Announcement, entitled “Ransomware Victims Urged to Report Infections to Federal Law Enforcement”. The announcement presents the Ransomware threats and describes how incident reporting help the national cyber security teams develop means to protect against future attacks.
Ransomware victims should report the attacks here (the FBI Internet Crime Complaint Center): https://www.ic3.gov/default.aspx
Reports start coming in
In October 2016, two healthcare institutions reported Ransomware attacks as data breaches under HITECH following the Congress advisory and the FBI request, although HITECH itself does not require entities to report Ransomware attacks yet.
USC Keck and Norris Hospitals issued this notice in this respect: https://oag.ca.gov/system/files/NOTICE%20%5BFINAL%5D_0.pdf?
Anne M. Cummings, M.D. F.A.C.P filed this notice in this regard: https://oag.ca.gov/system/files/Cummings%20Notice%20A_0.pdf?
How we can help
Reporting Ransomware incidents will help companies and authorities gain awareness and develop better methods to respond to such incidents. TEMASOFT develops specialized anti-ransomware software that detects and blocks Ransomware in seconds, allowing recovery of damaged files (included in successful ransomware attacks, if the technology is running at the time of the attack). Such technology will is a critical part of an enterprise ransomware protection strategy, together with awareness training and anti-virus solutions for multilayered security.
Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.
Symantec Special Report: Ransomware and Businesses 2016: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
FBI Public Services Announcement https://www.ic3.gov/media/2016/160915.aspx