DarkSide Shuts DownTop East Coast Pipeline
By now you are likely aware of the Ransomware Attack by DarkSide which shut down the oil pipeline distribution operations across the Eastern Seaboard. The good news is that Colonial Pipeline reports operations were restarted yesterday (Wednesday) at about 5:00 PM EDT and that full service will be restored “within several days”.
But to restore services, Bloomberg reports that Colonial Pipeline paid nearly $5 million to Eastern European hackers (https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom). This contradicts previous reports that the company had no intention of paying an extortion fee to restore services. This payment, despite the FBI discouraging organizations from paying ransom demands to hackers, says there is no guarantee the hackers will follow through on promises to unlock files and it provides an incentive to would-be hackers.
As you know a ransomware attack typically involves encrypting a victim’s files/data which attackers agree to unlock for a payment (often made through untraceable cryptocurrency payments).
But did you know…
- HIPAA requires organizations to perform a Security Risk Assessment [164.308(a)(1)(ii)(A)]. These assessments must be a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information. Your IT team can perform it, your outsourced IT support, we can perform it or we can help you find other resources to perform the assessment. And assessments or reviews should be conducted at least annually or after any major changes (like moving to a new EMR).
- HIPAA also requires that a covered entity (like you) implements security measures identified in the risk assessment that are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. [164.308(a) (1) (ii) (B)] These measures, as a part of an overall mitigation plan, should be updated frequently to note the progress the health center is making toward the goals. And once you develop your plan, address the issues identified.
This is another area where Colonial Pipeline had an issue. In January 2018 they received an 89-page report outlining the findings (risks) identified after a six-month audit. The AP reports a representative of the audit firm noting “we found glaring deficiencies and big problems” and “I mean an eighth-grader could have hacked into that system”. https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d
- The bad guys don’t always play fair. Even if you pay the ransom, your data may be lost forever. Or worse yet, your data is made available again, but later encrypted for another ransom payment.
- Backups are not always enough. In many cases the ransomware “infection” occurred days, weeks, or months in advance of the ransomware event. You could restore data and systems that can get encrypted again.
- The “almost $5 million” ransom is likely not all the costs. The public trust in Colonial has now been eroded and additional oversight is likely on the horizon. There may be fines related to the attack for not implementing appropriate safeguards identified in previous audits, or costs of IT overtime and external resources to help address the results of the attack.
Ransomware attacks can be reportable breaches if there are findings that data left the organization.
