When practices think of a HIPAA breach or violation, they are usually thinking of their own practice. However, practices often make use of third party companies like billing services who perform work on behalf of the practice. These companies will often have access or will handle patient information. When one of these companies is breached, it will have a ripple effect that will make its way back to the practice that hired them. Billing service breaches are especially dangerous because most services aren’t aware of their obligations under HIPAA and also don’t take measures to protect their data. In this week’s case study, we see exactly that. A billing service was hit with a common strand of ransomware that led to several practices being effected.
In December 2018, Doctor’s Management Service, Inc. (DMS) found that their network had been infected with ransomware. This ransomware prevented them from having access to their data. DMS is a Massachusettes based medical billing service that provides billing and other services to physicians.
DMS performed an internal investigation and they found that the ransomware used was GandCrab. GandCrab, and its many variants have been used to attack practices and other businesses around the world.
DMS restored the infected data from their backups and did not pay the ransom that was demanded.
However, the investigation also discovered another breach. The individual, or group, who had launched the ransomware attack had actually breached their network back in April of 2017. The breach happened as a result of a compromised Remote Desktop Protocol (RDP) account. The attacker was able to crack the account’s password and gain access.
What was the result?
The hacker had access to DMS’s network for more than 18 months. While DMS stated that there is no evidence that any data was actually removed or access, how can they be sure? They weren’t able to detect the attack in 18 months so it seems unlikely that they would be able to determine data wasn’t copied.
The breach has been reported to HHS.
DMS sent out a notification letter to their customers. In total, almost 40 practices were affected. However, the notification letter didn’t give a number of patients that were impacted. However, according to the OCR Breach Portal, the total number reported was 206,695.
This is why billing service breaches can be so serious. A single entity, such as a billing service, has access to numerous patient databases.
Billing service breaches can cause widespread damage
Billing services, by the nature of their work, have access to the data of many medical practices. In addition, many may not have the staffing or budget to implement the necessary security controls prescribed under HIPAA.
In the case of DMS, the attacker gained access by cracking the password of a remote user’s account. This means the remote access was set up to allow direct access to the server from the Internet. In addition, it means that there was no one monitoring log files on that computer. When an attacker cracks a password, there will be many failed login attempts to that computer. This is a dead giveaway that an attack is underway.
This is a very bad configuration for security. Remote access should always be through a VPN connection and not directly to the server itself. Furthermore, the logs for these devices must be monitored for failed login attempts. HIPAA compliance requires active monitoring
How can billing service breaches be prevented?
Under HIPAA regulations, billing services are really no different than any other entity. They are considered Business Associates and must comply with the HIPAA Privacy, Security, and Breach Notification Rules. This means that they must also perform a Risk Assessment and resolve any issues it uncovers.
From there, Business Associates must train their staff on how to handle patient information correctly and securely. In addition, they must perform security awareness training to keep their staff up to date on possible threats such as malware and phishing.
Business Associates should also keep their computers up to date with the latest security patches and updates from the software manufacturer. This is crucial to keeping attackers out of your computers.
HIPAA doesn’t only pertain to hospitals and physicians. Business Associates must also comply. When entities such as billing companies don’t perform their due diligence to protect the data in their care, the damage can be widespread.