A lack of backups for any medical practice is like driving your car with no breaks. Yes, you can do it, but it would be a very dangerous thing to do. Backups are your best defense against all manner of attacks or accidents in your practice. Regardless if you have a server failure, suffer a ransomware attack, or get hit with a hurricane, good backups can get you back up and running quickly. The real problem comes in when you believe you have a backup system that is working but when you need it, you find out that it hasn’t been working correctly and doesn’t actually have the data that you need. In this week’s case study, that is exactly what happened. Find out all the details and learn how to make sure you have backups that you can depend on.
FABEN Obstetrics and Gynecology of Jacksonville, Florida, suffered a ransomware attack in November 2018. The ransomware encrypted all of the practice’s data including medical records for the practice’s patients. From the investigation, it was found that the ransomware entered the practice through a malvertising campaign. This is where attackers place ads on websites that will direct users to a website that is infected with malware. These ads serve up a kit that is designed to compromise computers and then send in the ransomware. In this case, all patient records were encrypted by the ransomware.
The ransomware that was used was the GandCrab variant. GandCrab was a very prolific variety of malware that generated millions of dollars in ransom payments over a short period of fewer than two years. Within the first quarter of 2018 alone, it infected over 50,000 systems.
What was the result?
When the ransomware was discovered, that practice deleted all of the encrypted files. This was done in an effort to prevent the malware from spreading. In the investigation, FABEN was able to determine that none of the data was actually viewed by the attacker nor removed from the practice’s network. From reviewing the infected data, the practice was able to determine that it affected patients between January 2007 and April of 2017.
FABEN attempted to restore the data from their backups, however, during the process, they found that data from September 2014 to April 10, 2017, was unrecoverable. From FABN’s press release:
“These files include, but are not limited to, blood sugar logs, blood pressure logs, Family and Medical Leave Act documentation, and medical records that patients provided to FABEN in paper form during the aforementioned period of time.”
You can read the release here.
It seems the backup system hadn’t performed correctly for the data that was missing. A bigger concern is that the backup wasn’t monitored to know this before the attack occurred.
Lack of backups will cost you dearly
In the past, practices could be excused for not having a good backup system in place. The most you were likely to lose were emails, some documents, and that’s about it. However, with the advent of the EMR, all patient records have moved to digital format. At this point, there is no excuse for not having a good backup system. In fact, it is negligence not to. HIPAA ramifications aside, practices are risking their patient’s health and the practice’s survivability by not protecting data.
Addressing the HIPAA side, let’s look at what is required under the law.
All Covered Entities and Business Associates must back up data in a secure manner that allows for “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)).
The data must be recoverable. This means that the backup must allow you to make use of the data when needed. You must be able to fully “restore any loss of data” (CFR 164.308(7)(ii) (B)).
Your data must be backed up often. This is required by the HIPAA Security Rule. (CFR 164.308(a)
A copy of your data must be stored offsite. This is also required by the HIPAA Security Rule. (CFR 164.308(a)
Avoiding a disaster with a good backup system
In this article, we aren’t going to focus on developing a backup system for your practice. You can read about that here. What we will discuss is maintaining and testing your system to ensure it is ready if you need it.
From what has been reported, it appears that FABEN’s failure was to ensure that all of their data was being backed up correctly and frequently. By the description of the attack, it appears that the backup status hadn’t been checked for quite a long time. This is easy to do for small practices because backups seem like they are plug and play: you plug them and they just work. However, there are many things that can cause a backup to fail. Usually, backup software will send alerts but if no one is monitoring these alerts, then they aren’t helpful. It is critical that you have someone either at your practice or at your IT support service, monitor your backups to ensure that they are performing as expected.
In addition, once or twice per year, it is a best practice that you perform a full restore using your backup data to ensure that it will recover your practice in the event of an emergency. Think of it as a fire drill for your data. Again, if your backup system can’t do this, what is the point of having it at all? It will only give you a false sense of security and then let you down when you need it most.
Lacking a backup for your practice is an inexcusable practice now. With the amount of patient data that is only in electronic format, it is mandatory. HIPAA laws also require this. Not having such a system in place is a HIPAA violation in and of itself. Make sure your practice is protected and have a reliable backup system that you test and monitor.