A kidnapping and ransom scheme—as if taken from a pirate movie—is playing out at businesses every day, but with a high-tech twist. As an employee tries to access a computer file, an on-screen message states that all the files in that folder have been encrypted (kidnapped). The data will only be released if the pirate responsible receives thousands of dollars in bitcoins (the ransom) within 96 hours. This sort of data breach, known as ransomware, is becoming increasingly ubiquitous.
While this scenario can wreak havoc on any business’ productivity, if those encrypted files are an O&P practice’s electronic medical records (EMRs) containing patient health information (PHI), there is an added dilemma since the practice is subject to the privacy laws enacted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
“Ransomware, in particular, is a unique kind of attack because, at least with the common variance, you’re not talking about the actual exfiltration or stealing of data—you are talking about disrupting availability of data,” says Daniel Nelson, C|EH, CIPP/US, a Denver-based commercial litigator and privacy and data security lawyer with Armstrong Teasdale. “From a regulatory perspective, that is still considered to be a breach event [under HIPAA], which can be reportable and have all the other features that go with the data breach event, but…it attacks the availability of the data as opposed to…the confidentiality of the data.”
Healthcare Is in the Crosshairs
Medical records—whether held for ransom, or hacked and sold—have become a hot commodity, with money as the motivating factor.
According to global cybersecurity firm NTT Security, with U.S. headquarters in Bloomfield, Connecticut, healthcare providers are targeted because they choose patient care over cybersecurity; the healthcare industry offers an ever-increasing attack surface, especially as more medical devices and machines require network integration; and the stolen data is profitable, fetching $40-$50 per healthcare record.
“If you look at the average record set of a healthcare facility, it contains an awful lot of personally identifiable information, sensitive information about individuals,” including the patient’s name, billing information, date of birth, social security number, medical insurance information, and diagnostic codes or treatments, says Nelson, who is among the few U.S. attorneys to hold the title of Certified Ethical Hacker (C|EH). He says the sensitive nature of the information creates opportunities for extortion, finance-related identity theft, and obtaining medical care or prescriptions with somebody else’s medical information.
While a compromised credit card can be discovered rather quickly and cancelled, the effects of medical identity theft can be long-lasting, making the data more valuable on the black market. For example, it might take someone years, and the receipt of collection notices due to unpaid fraudulent medical claims, to discover his or her medical information was breached.
Is Ransomware a Reportable Breach Under HIPAA?
If your work computer or the practice’s computer system is hacked and the data is sold or distributed, then it is a reportable breach under HIPAA— never mind the fact that the electronic protected health information (ePHI) should have been encrypted by the practice as mandated by HIPAA. But what if that data is made inaccessible to you with a ransomware attack?
The presence of ransomware in your practice’s computer system is considered a security incident, defined by HIPAA as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” However, whether it is a breach is an altogether different determination.
In July, the U.S. Department of Health and Human Services’ (HHS’) Office for Civil Rights (OCR) issued a fact sheet that states, “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule”—unless the covered entity can demonstrate that there is a “low probability that PHI has been compromised.” The onus is on the covered entity to demonstrate this low probability, and requires the completion of a risk assessment that considers the following four factors at a minimum:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
En Garde: Take the Offensive
Given the pervasiveness of ransomware and its growing threat to healthcare entities, it might seem that it’s not a matter of if, but when, your O&P practice will be affected.
“You have to assume it’s going to happen,” says Dustin Bastin, CEO of Elevated Computer Specialists, Colorado Springs, Colorado, a managed services provider.
While our experts agree that no technical safeguards are 100 percent effective, there are steps you can take to minimize your risk.
Bastin uses a layered security approach, starting with firewall software with intrusion prevention and detection. For one client, he uses a SonicWALL firewall that is situated at the client’s network gateway. “It can recognize malicious activity, it can block it, and it can notify me if something is happening,” he explains, adding that as a managed service provider he remotely and proactively manages his clients’ IT systems.
There are two types of software restriction polices, Bastin explains. A blacklist policy blocks the specific location on a computer that a ransomware program, such as CryptoLocker, is known to run. However, signatures of ransomware files are constantly being changed, so maintaining a blacklist policy becomes a reactionary effort. For this reason, Bastin uses a whitelist policy that only permits identified programs to run on a computer. “The end result is you can’t have a program running that you don’t know about,” he says.
There are also basic security settings a business can implement, such as computer and server lockouts after three failed password attempts and a strong password enforcement policy with length and character requirements. Because new ransomware signatures are being created every day, your antivirus program is only as good as its latest update, cautions James Cannady, PhD, a professor of information assurance in Nova Southeastern University’s College of Engineering and Computing, and a ransomware expert. “You want to have the most current version of an antivirus software on any of the systems that might be exposed.” In hospitals and healthcare practices, there are often machines other than computers, such as mobile devices, that can receive data and downloads, and they need to be protected as well, he says.
Nelson suggests that practices have a frank discussion about technical safeguards with their IT groups. “Ask them point-blank, ‘What protections do we have in place…if ransomware should hit?’ It’s never 100 percent comfortable, but they should be comfortable [enough that] there is an answer to that question,” he says. If the answer is unsatisfactory, the practice needs to keep asking until the IT group implements solutions and they get comfortable, he says.
Practices should also make sure the vendors to whom they submit ePHI or who have access to them are HIPAA compliant and taking appropriate safeguards against cybersecurity threats of any kind, says Bastin. “Whoever you do business with, they must sign a BAA [business associate agreement]… saying they are doing their part and everything is secure on their end. “Hackers will go for what is easy,” he adds. “But if you make it difficult enough, they are going to move on to the next person, unless they think you have something really juicy they want to get ahold of. The aim of the game is to make it as difficult as possible to get into your computer system.”
The Best Defense Is Education—and Good Backup
The number one defense to avoid becoming the victim of a ransomware attack is education, say our experts. O&P practices should train their staff on cybersecurity awareness and have policies regarding computer usage, software installation, and websites to avoid.
“Train your users on how to avoid e-mail phishing attacks, [and to] recognize there are risks out there on the internet—depending on what website you might visit, you might download the malware that causes ransomware attacks,” says Nelson. “Incorporate ransomware training into training materials for users—the employees and such—so they understand what this attack is, why it can be so devastating, how it relates to e-mails they might receive, or links they might click on—all the different pieces that go into a good phishing awareness training so that you are armoring or hardening your users a little bit and maybe avoiding some of the attacks by more informed and more security-conscious users.”
Bastin concurs, “Education is the number one defense against this. It’s recognizing if something looks fishy or not.” Things to be cautious about include e-mails with attachments from unknown senders, an attachment to an e-mail that is in an outdated version of Word, a .zip file attached to an e-mail, and even pop-up advertisements. “If you have any shred of doubt, send the [questionable e-mail] to the tech guy, or call the person who sent you the e-mail. That ten seconds of calling somebody and double checking to make sure it is legit can save hours.”
However, to err is human, and regardless of the measures you might put in place, ransomware is still difficult to guard against because these criminals are intelligent, Cannady says. Thus, our experts say the number two line of defense is to have a topnotch back-up system.
“Anyone who has any data of any value on a computer system needs to be performing regular backups,” says Cannady. “This also requires that the backup be somewhere besides on your computer….”
For instance, Cannady has a portable hard drive that holds one terabyte of data. He connects it to his computer at the end of each day, saves his work to it, and then disconnects it from his computer before leaving. This solution will allow him to reformat his computer and start again with all his data in the event of an attack, potentially eliminating data loss.
Bastin has installed a business continuity device on a client’s computer server that takes an hourly snapshot of the data on the server, he says. These devices are available at varying price points, and can even be located offsite. “I keep 12 daily, seven weekly, a couple of monthly, and one yearly backup….” If the client accidentally deleted a file, or experiences a total failure or encryption of the server, Bastin can restore individual files or create a virtual machine of the server and get the client up and running without a significant loss of data or time.
Backing up data to the cloud is another alternative, and one he recommends to healthcare clients, but still is not 100 percent foolproof, Bastin says.
Have a Plan of Attack
“The reality of the world is that we are all interconnected, we are all networked…. The convenience and ease and efficiency provided by electronic records is clearly evident, but it also introduces vulnerability,” Cannady says.
Prior planning in the form of a business continuity plan and a data breach incident response plan, both of which are required under HIPAA administrative safeguards, according to Nelson, can help an O&P practice when data is compromised. While a detailed explanation is outside the scope of this article, several considerations follow, and there are many resources on the internet to guide you in preparing both types of plans.
Nelson likens a data breach incident response plan to a strategy firefighters might have when approaching a building fire. There needs to be a command and reporting structure, executable steps, and assigned tasks. “Have a plan in place before the incident that details things like command structure, decision makers, who your outside vendors are, and how to get ahold of them quickly. [Other things to consider include] what types of events might be considered an incident, which ones might need to get reported out, which ones might need to be reported up if you have a board of directors, things like that,” he says.
If a ransomware attack is discovered while in process, Nelson says it is one of the few instances in which he would advise his client to power the computer down to stop the attack, and then see what data can be saved. If the ransomware attack is discovered after the encryption has been completed, he would advise the client to leave the computer turned on. Either way, the computer should be isolated from the rest of the network. “Ideally, you would get somebody from legal onsite quickly to help supervise and to start to provide counsel…, get somebody from IT forensics onsite quickly to determine the problem.”
Bastin warns against an unschooled person deleting the ransomware files because that person may also unknowingly delete the key that could unlock the encrypted data—as a client of his did—making it that much more difficult for the files to be salvaged.
Additionally, you might want to advise law enforcement if you are the victim of ransomware, Nelson says. The Federal Bureau of Investigation (FBI) urges victims to report cyberattacks to their local FBI office and/or file a complaint with its Internet Crime Complaint Center at www.ic3.gov. While it is cost- and resource-prohibitive for every cyberattack to be investigated, law enforcement has been successful in obtaining keys to unlock many ransomware variants, which might also be of aid in your particular case.
As for paying ransom, the FBI discourages it because paying the ransom does not guarantee the files will be unlocked, and it encourages the nefarious behavior.
Nelson says in these cases he advises his clients of their options but does not provide a recommendation one way or the other. It’s a business decision that depends on the client’s unique situation. Is there a backup or did the backup fail? Does the business need that mission-critical data to keep operating? “People may feel as if they have no choice in the matter but to pay the ransom, to keep the business going, and serve their customers, patients, [or] clients,” he adds.
“At the end of the day, the gem is planning,” Cannady says. “Let’s not only have a plan for what we do if this happens, let’s have a plan for educating our users so they are smart when they are on our computers. Let’s have a plan for what types of software we are going to have, how they are going to be installed, how often they are updated, [and] who is responsible for that…. Knowing that your data is still secure, that you have a copy of it, that you’ve encrypted it so the bad guys can’t read it…. That’s really all anybody can do. And it really solves most of the problems.”
Laura Fonda Hochnadel can be reached at .