Case Study – Ransomware Attack Exposes 400,000 Patient Records

      Comments Off on Case Study – Ransomware Attack Exposes 400,000 Patient Records

A ransomware attack can be a frightening thing and they are increasing. This threat poses a higher danger to medical practices because of HIPAA regulations. A ransomware infection for HIPAA Covered Entities and Business Associates is usually a HIPAA breach.

Here is HHS’s official statement on the matter of ransomware and HIPAA:

Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

From this, we can determine that since ransomware encrypts, and therefore accesses, patient records, a breach has occurred.

This week’s case study will show how ransomware attacks can impact a small practice and the financial ramifications that can occur as a result.

What happened?

On January 9, 2019, Columbia Surgical Specialists (CSS) of Spokane, Washington discovered a ransomware attack on their practice network. All of their patient records were encrypted. These records included Protected Health Information (PHI) such as patient names, Social Security numbers, dates of birth, treatments, lab results, and medications.

What was the result?

The attackers made it clear that they would not release the records until the fee of $14,649.09 was paid. The payment would be made via cryptocurrency. The practice’s physician owners made the decision to pay the ransom so that they could gain access back to patient files.

The practice issued a notification letter that detailed the incident and their response.

Yes, we paid $14,649.09. We received notice from the people that encrypted the files
just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee. We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data.
After paying the ransom, the practice, with the help of their IT provider, was able to decrypt the data.”

From CSS’ notification letter.

Why are ransomware attacks so much worse for practices?

HIPAA regulations make a ransomware attack a much more dangerous event for medical practices. most businesses aren’t under compliance regulations and only have to be concerned with the financial impact of such an attack. However medical practices and businesses associates have the additional burden of protecting patient data. A breach like this can lead to an official audit from HHS and possible penalties.

Other than phishing attacks, ransomware represents the largest threat to ePHI.

In the first quarter of 2019, ransomware attacks increased for businesses by 195%, according to a study by Malwarebytes. The same study revealed that attacks targeting consumers had declined by 33%. The idea is that businesses need access to their data more than consumers and are willing to pay the ransoms.

In 2018, the FBI had 1.394 ransomware complaints that led to over $3.6 million in losses. These were reports only to the IC3 and not those made to FBI field offices. This means that the actual number of attacks reported to the FBI was much higher.

How can you protect your practice from ransomware?

Security, and HIPAA compliance, is a process and not a “one and done” thing. Keeping your data safe requires a well-defined process that your practice follows.

  1. Perform a Risk Assessment to identify the threats you are likely to face.
  2. Develop a security management process that addresses these threats
  3. Develop and implement procedures that detect and prevent malicious software such as ransomware
  4. Develop a training program that teaches users how to detect attacks and also how to respond to incidents
  5. Deploy access control systems that will limit access to ePHI to those that need access to it

That’s a lot of tech speak so let’s break it down into actionable steps for you.

A Risk Assessment is absolutely necessary. This will tell you what your threats are and then you can create your policies and procedures for addressing them.

Use commercial grade anti-malware software on all computers and mobile devices on your network. This will block and contain malicious software. Examples include Webroot, Emsisoft, and Avast. Do not use free anti-malware software because they usually do not allow for real-time scanning and protection.

Implement a patch management process that ensures all computers and devices have the most current updates from Microsoft and your software vendors. This will block the holes that malicious software uses to initially infect a network.

Deploy a commercial grade firewall that has intrusion detection and prevention capabilities. These can also be configured to block malicious content and prevent users from visiting sites that can be problematic. You must also watch the logs of your firewall to ensure its working properly and to review the alerts it produces.

Make sure that all users only have the appropriate level of access to programs and data. This will help prevent malware from spreading on a network.

Finally, create a training program that addresses potential threats and instructs users on how to detect them. The training program should also have periodic follow-ups so that staff are kept abreast of new threats but also are reminded of previous training. This keeps things fresh and relevant to them.

Ransomware isn’t going away

The threat that ransomware poses isn’t going away. It’s a low risk way for cyber criminals to make money. As long as practices and businesses don’t protect themselves, this will always be a threat.

Each year, the amount of money paid for ransoms increases. Don’t be caught. Protect your practice and the data of your patients.