NCCoE and NIST Guidelines for Ransomware Recovery: HIPAA & HITECH Act Blog by Jonathan P. Tomes


Little doubt exists that ransomware is a major threat to the availability of health information. Ransomware is a type of malicious software from cryptovirology, a field that studies how to use cryptography to design powerful malicious software that threatens to publish the victim’s data or block access to it unless the victim pays a ransom. The more advanced malware uses cryptoviral extortion, in which the outside party encrypts the victim’s files, thus making them inaccessible, and demands a ransom payment to decrypt them. Not only is recovering the files without the decryption key nearly impossible, but also the outside party often uses digital currencies, such as Bitcoin, for the ransom, making hunting down and prosecuting the perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan (horse) that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. One high-profile example, however, traveled automatically between computers without any action by the user.

The National Cybersecurity Center of Excellence (“NCCoE”) and the National Institute of Standards and Technology (“NIST”) have issued draft guidelines for ransomware recovery. The guidelines, NIST Special Publication 1800-11, apply to all forms of data integrity attacks. The intent of the publication is to provide a detailed, standards-based guide for organizations of all sizes to use to develop recovery strategies to deal with data integrity attacks, to establish best practices to minimize the damage caused, and to ensure a speedy recovery.

NIST says, “When data integrity events occur, organizations must be able to recover quickly from the events and trust that the recovered data is accurate, complete, and free of malware.”

NCCoE/NIST collaborated with several cybersecurity vendors (GreenTec, HP, IBM, Tripwire, MITRE Corporation, and Veeam) to develop the guidelines, which will help organizations prepare for the worst and develop an effective strategy to recover from a cybersecurity event, such as a ransomware attack. By adopting the best practices detailed in the guidelines, the recovery process should be smoother, critical business and revenue generating operations can be maintained, and enterprise risk can be effectively managed.

The NIST guidelines for ransomware recovery will help organizations prepare for an attack and develop strategies to allow them to restore data to the last known good configuration, identify the correct backup copies to use, and determine whether data have been altered or poisoned.

In the event of data alteration, the guidelines show organizations how to identify the individual(s) who altered data and determine the impact of data alteration on business processes. The guidelines also explain how businesses can ensure that systems are free from malware during the recovery process.

The guidelines are split into three volumes: Volume A is an executive summary, which is of particular relevance for business decision makers, including CSOs and CISOs; Volume B outlines approach, architecture, and security characteristics that will help technology and security program managers identify, understand, assess, and mitigate risk; Volume C includes how-to guides, including specific product installation, configuration, and integration instructions for a selection of software solutions and tools to help organizations recover from data integrity attacks.

The draft guidelines are available here.

We highly recommend that you add ransomware to your annual risk analysis update. We have developed a revised sample ransomware policy for you to use as a template. It is available on the Premium Member section of our website at Make sure that you base your ransomware policy on your written risk analysis so that you won’t be just guessing. Then, make sure that you train your workforce on your ransomware policy and keep electronic and/or paper copies of your written risk analysis, your policy, and your training log as written documentation of HIPAA compliance for the six-year record retention period required under HIPAA.

seo by: k.c. seo