The healthcare industry has been no stranger to cyber and ransomware attacks. With increased threats and an uptick in Office for Civil Rights (OCR) enforcement as a result of those threats, organizations of all sizes should 1) evaluate their susceptibility to attacks, 2) employ processes and software to prevent attacks and 3) prepare response plans for breaches. A recent Health and Human Services (HHS) fact sheet confirmed that ransomware is considered a security incident under The Health Insurance Portability and Accountability Act (HIPAA).
How ransomware operates and the severity of the threat
Ransomware is a software that blocks access to systems until a sum of money is paid. In other words, hackers hold data and computer systems ‘hostage’ until ransom money is paid. Hackers understand that healthcare systems are rich in personal identification data and attempt to attack during times of vulnerability (i.e. if IT security is out of date). They use the widespread vulnerability of the healthcare industry to their advantage. Even more concerning is the uptick in encrypted ransomware, where the software encrypts vulnerable data until ransom is paid. The data on the computer is not only unusable but the software spreads so quickly that it renders the entire organization helpless at an alarming speed. In the past few years the number of ransomware ‘variants’ has increased exponentially with approximately 1,000 new variants added each day. Ransomware variants are changes in the algorithm, code or method used to encrypt and steal information. Such variations in software make it difficult to develop a software that prevents and blocks all types of ransomware software. Think of variants as strains of antibiotic resistant bacteria. It is the electronic version of MRSA.
Ransomware software is quick to disable entire systems and finds its way into systems via seemingly normal channels. In addition to phishing emails, websites can be overtaken and used to infiltrate vulnerable systems. Phishing emails are used as bait to try and lure users to provide secure information such as passwords and credit card information. The emails resemble communications from banks and other institutions that store personal information and trick users into clicking through to an unsecure website. The website will similarly, be close to identical to a bank or credit card website. Recent compliance trainings have included phishing email detection as part of the annual training. Modules walk through examples with users and train them on how to spot minor discrepancies such as URL structure, language used and typo errors not normally found in secure, legitimate correspondences.
What is staggering are the studies that show just how vulnerable systems are. According to CSOonline.com (a security and risk management news site), 93% percent of phishing emails carry encryption ransomware and only 42% of victims were able to recover data. Security software solution companies like PhishMe and Barkly have released reports and other studies on the threats of ransomware.
Here are some examples of recent attacks:
- MedStar Health, Washington, DC: ePHI was held in exchange for payment in Bitcoin (approximately $19,000). The organization’s patient records and administrative and ancillary systems were down for some time, resulting in patients being turned away.
- Hollywood Presbyterian Medical Center, Los Angeles, CA: The organization agreed to pay $17,000 in bitcoin to bring its systems back online.
- Prime Healthcare Services Inc., California: Two of the health system’s hospitals were attacked. The organization was able to get its systems up and running before having to pay ransom.
- Methodist Hospital, Henderson, Kentucky: The organization was attacked and systems were inoperable for 5 days. The hospital declared an internal state of emergency as it reviewed how many patient records were affected. No money was given to the attackers.
- University of Washington Medicine (UWM): The ePHI of approximately 90,000 patients was accessed after an employee downloaded an email attachment with malicious malware. While the attack did not result in encryption or ransomware, the OCR swiftly took note and fined the organization $750,000.
Preventable measures, HHS Guidance and our recommendations
As mentioned above, HHS released a guidance/fact sheet on HIPAA and ransomware. Here are several preventable measures, immediate key actions and recommendations from the guidance and our client experiences:
- Employ a Chief Information/Security Officer and provide them with the tools they need to execute on preventable measures
- Conduct regular and frequent inventories to understand what assets/systems need protection, if they are secured and their ability to respond quickly to attacks
- Include the inventory as part of a larger security and privacy risk assessment. As part of the assessment include a gap analysis of where the organization stands on policies, auditing and monitoring of systems, emergency plans and IT resources
- Ensure privacy and risk assessments are included in Enterprise Risk Assessments
- Develop and execute robust processes and systems that detect and respond quickly and efficiently to attacks
- Similarly, develop post-incident plans that quickly address how and why the breach occurred
- Include security and privacy training into annual mandatory trainings including, how to detect phishing emails, unsecured websites and other fake popups/calls to action
- Ensure IT staff are trained and up-to-date on the latest updates and are adequately equipped to handle an attack
- Develop downtime procedures specific for a malware-enabled system shutdown