The Office of Civil Rights, (OCR) has been dealing with much confusion in the healthcare arena as it pertains to the malware attack type of ransomware. This particular type of malicious attack typically does not actually steal data, but holds the data for ransom by encrypting the targeted data. Once the ransom is received, the attacker sends decryption key to release the data. Because the data does not leave the premises, some security professionals have stated this is not a breach and therefore does not need to be reported. This security professional disagrees as does the OCR.
In July of this year the OCR released guidance on how healthcare providers can protect PHI from ransomware and what exactly is covered under the Healthcare Information Protection and Accountability Act (HIPAA). Per the OCR a ransomware attack falls under 45 C.F.R. 164.402 of the HIPAA Privacy Rule, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the (HIPAA Privacy Rule) which compromises the security or privacy of the PHI.” As per HIPAA, only those authorized should have access to PHI data. If unauthorized individuals gain access, malicious or not, then it is a breach.
The level of reporting comes into play if the organization can demonstrate whether there is a “…low probability that the PHI has been compromised.” If the organization cannot provide evidence that there is a low probability that PHI was compromised, then it is HIPPA breach and both the OCR and customers must be notified. Should the covered entity, or business associate, be able to show proof of low liability then reporting should be to the local FBI or United States Secret Service field office.
Ideally it would be better to mitigate ransomware in the environment instead of having to assess whether a ransomware attack actually included PHI or not. Luckily this can be done in a few ways with the use of Symantec Endpoint Protection (SEP).
First line of defense is the Intrusion Protection Engine (IPS) in SEP. It blocks against any malware or threats on the endpoint. IPS detects and blocks attempts to exploit vulnerabilities which may be present on the machine. With ransomware, as with most malware, the first step is to get that loaded file onto a system. This feature blocks them at the door. Should the ransomware file get to your network there is more to your arsenal with SEP. The next three features provide more security layers within the same product.
Download Insight (DLI) quarantines files by leveraging the vast Symantec customer base who knows the files to be malicious. DLI also detects and quarantines files that have yet to be proven malicious, but are most likely so due to their reputation. Knowing the reputation of the file before the download protects the endpoint from potential attack from ransomware.
Symantec Online Network for Advanced Response, (SONAR) is a behavioral machine learning mechanism which detects applications which are potentially malicious to your environment. SONAR leverages heuristics to detect the behavior of the applications installed on the endpoint and not a specific application. This is beneficial because it is waiting for anything on the endpoint to act in a malicious manner regardless of whether the file or service looks to be innocuous, such as Word.
Application and Device Control Policies have been a part of SEP since version 11. This feature is key to managing how certain applications and devices interact with the endpoint. As it pertains, specifically to ransomware Application and Device Control, the administrator can prevent cmd.exe and powershell.exe from launching from a common application such as Word or Excel.
By layering these features within your existing SEP environment you have at your fingertips a great line of defense against ransomware. Coming up with the newest release of SEP, SEP14 users will see even greater enhancements to their arsenal of endpoint protection. The following are coming with this new release due out in Fall 2016:
- Generic Exploit Mitigation (GEM) – protection techniques for memory exploitation vulnerabilities in applications. GEM includes protection for:
- Java Exploit Protection – blocks attempts to disable Java’s built-in security policies.
- Structured Exception Handling Overwrite Protection (SEHOP) – blocks attempts to overwrite application exception handling addresses.
- Heap Spray Memory Attack Protection – blocks attempts to inject shellcode onto the heap.
- Advanced Machine Learning – building on the SONAR functionality with further enhancements of the heuristics.
Further Reading on the aspects of Symantec Endpoint Protection as well as the OCR’s guidance on ransomware can be found in these links:
- IPS: http://www.symantec.com/connect/blogs/what-symantec-s-intrusion-prevention-system-did-you-2015
- SONAR: https://support.symantec.com/en_US/article.HOWTO80968.html
- Application and Device Control: https://www.symantec.com/security_response/securityupdates/list.jsp?fid=adc
- Download Insight: http://www.symantec.com/connect/blogs/download-insight-sep-121
- OCR Guidance: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Contributed by: Nicole Keefe