Organizations regulated by the Healthcare Information Privacy and Accountability Act (HIPAA) must take special care to preserve valuable forensic artifacts at the outset of a ransomware or other cybersecurity event. The HIPAA Breach Notification Rule presumes a cybersecurity incident has resulted in unauthorized access to unsecured protected health information and the burden shifts to the organization to show a low probability of the compromise of the health information it maintains.
Guidance from the Department of Health and Human Services Office for Civil Rights, the federal entity charged with enforcement of HIPAA, provides that the encryption of protected health information by ransomware per se constitutes an unauthorized disclosure of protected health information triggering the Breach Notification Rule.
Consequently, the preservation of forensic evidence capable of disproving the unauthorized access or acquisition of protected health information is paramount and should be undertaken at the outset of the response to any cybersecurity incident, especially ransomware. Breach notification is extremely costly in time, money, and goodwill. Any time and money lost during the operational downtime required to preserve forensic evidence in order to rule out access to protected health information is significantly lower than the costs of notification.
All organizations, HIPAA-regulated entities especially, should utilize the following DOs and DON’Ts to assist with the preservation of forensic evidence in the event of a ransomware incident:
- Unplug or Power Off Any Network Devices. A common misconception is that devices affected by ransomware should be immediately powered off. Doing so can cause the unintentional loss of valuable forensic artifacts.
- Wipe and/or Restore Devices. Another common mistake is to immediately begin restoring critical network infrastructure from existing backups. Most often, critical systems, such as domain controllers, contain the most valuable forensic evidence. Restoring from backups can involve the wiping or cleaning of the encrypted device, which results in the loss of forensic artifacts. Additionally, the restored backups may still contain vulnerabilities that can lead to re-encryption if appropriate security measures – such as endpoint monitoring – are not put into place before restoration (further discussed below).
- Contact the Attackers. Leave communication with the attackers, if any, to the experts. Unilateral communication without experts consulting can give threat actors leverage that could be used against your organization.
- Pay the Ransom Right Away. Ransom payments are sometimes required – however, it is illegal to make payments to some Bitcoin (BTC) wallet addresses. Prior to payment, the BTC wallet addresses should be checked against a federally maintained blacklist of sanctioned wallets. Additionally, some older ransomware variants have publicly available decryption keys, and decryption of your files may be free.
- Notify Patients of the Incident. Wait for the completion of the forensic investigation, which will inform the legal assessment of whether a notification to patients regarding an incident is required under the HIPAA Breach Notification Rule.
- Run an Anti-Virus (A/V) Scan. Counterintuitively, running an A/V scan can result in the deletion of forensic artifacts valuable to a forensic investigation. For example, some of the malware involved in the attack can be reverse engineered to determine whether it was capable of accessing or acquiring protected health information.
- Unplug the Network Cable. This will disconnect the internal network from the internet, cutting off any unauthorized access to the network.
- Isolate/Segregate the Network. If possible, move the entire network into an isolated VLAN (virtual local area network). This provides added security against unauthorized access and prevents the further spread of malware to outside devices.
- Take a Screenshot of or Otherwise Preserve the Ransom Note. The ransom note, much like a fingerprint, provides insight into the variant of the ransomware. The type of variant at play informs many aspects of an incident response. Ransom notes often appear on the infected servers as an HTML or .txt file.
- Map the Network and Create an Inventory of Devices. Having a network inventory prepared will increase the ability of forensic experts to respond and remediate the ransomware.
- Initiate a Global Password Reset. Initiate a password reset for all users on the network. This will cut off any potential threat actor persistence as the network is brought back online.
- Deploy an Endpoint Detection and Response (EDR) Tool. EDR tools are capable of identifying, isolating, and terminating malicious code on the network and will prevent encryption during the forensic collection and remediation process. Most cyber forensic and incident response teams will have a recommended EDR Tool. Wait to consult with your forensic experts before deployment.
- Identify Viable Backups. Identify if there are backups that have not been encrypted by the ransomware. Determine the process for restoring the backups, but do not begin restoration without first consulting legal experts and a forensic investigation team.
- Preserve Firewall, Network, and System Logs. All available logs should be pulled and preserved to prevent their loss due to rollover.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.