Workplace of Civil Rights shares crucial cybersecurity steerage amid string of ransomware assaults

On June 9, 2021, the Office of Civil Rights (OCR) released a cyber alert with important updates to protect businesses from ransomware attacks. The guidelines come from the White House and the Cybersecurity and Infrastructure Security Agency. The memo, entitled “What We Urge You To Do To Protect Against The Threat of Ransomware,” looks at the increasing frequency and scale of ransomware incidents and calls on the private sector to join efforts by the government to keep businesses ahead of the curve to protect the growing threat from such attacks.

This memo follows President Biden’s executive order to improve the country’s cybersecurity and protect the federal government’s networks – another indication of the prioritization of cybersecurity in the federal government and in private institutions. In conjunction with providing key guidance to private entities, the memo also highlights the government’s efforts to develop a coherent and consistent policy on ransom payments, allow for rapid traceability and a ban on virtual currency revenue, and to work with the international community. responsible for detaining countries harboring ransomware actors.

With specific steps for private entities to follow, the memo calls on companies to do the following to increase cybersecurity: (1) Implement the five best practices from the President’s Executive Order, including, for example: multifactor authentication and data encryption , (2) update back data, regularly test systems and keep backups offline, (3) update and patch systems immediately, (4) test incident response plans, (5) evaluate the organization’s security team practices using a third-party tester to Determine cybersecurity readiness; and (6) segment corporate networks so that if a network is compromised, the damage is mitigated.

While the memo provides important and timely guidance on cybersecurity practices to private entities, it is generally not binding. However, the non-binding nature of the memo should not create a false sense of reduced responsibility. OCR has shown that it will collect large sums of money from regulated companies that fail to adequately protect their networks and systems from cyberattacks. For example, OCR resolved a data breach with CHSPSC LLC (CHSPSC) after an IT provider allowed hackers to access IT information from healthcare providers with compromised administrative credentials. CHSPSC agreed to pay $ 2.3 million to resolve this matter. The OCR investigation revealed a history of “systemic non-compliance” with the HIPAA security rules by the CHSPSC, even though the FBI had explicitly warned against hacking attempts. “The healthcare industry is a well-known target for hackers and cyber thieves. Failure to implement the security precautions required by the HIPAA rules, especially after the FBI has been notified of a possible violation, is inexcusable, ”said Severino.

We will continue to report on any additional guidance from OCR to assist the government in cybersecurity efforts in the public and private sectors.