Avoid HIPAA breaches from ransomware attacks
Although ransomware is not a new phenomenon, a recent increase in reported attacks along with several well-publicized cases have raised the public’s awareness of the threat it poses. Ransomware, a variety of malware, can be incredibly damaging because it is designed to infect a system, find and encrypt the system’s data, and lock out users until they pay a ransom–typically in an anonymous electronic currency like bitcoin–to regain access through a decryption key.
According to a U.S. government interagency report, there have been approximately 4,000 ransomware attacks each day since the beginning of the year, up from the 1,000 daily attacks reported last year. Further, a recent analysis by managed security services provider Solutionary found that 88% of ransomware attacks during the second quarter of this year targeted healthcare entities.
"Hospitals rely on data systems not only for the survival of their business, but the survival of their patients. Because of this, the perceived value of the data becomes much greater, meaning the criminals can charge premium ransoms against their victims," says Travis Smith, senior security research engineer at Tripwire, a Portland, Oregon-based cybersecurity firm.
The variants of ransomware that exist can complicate a hospital or other healthcare provider’s response, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. In addition to the typical form of ransomware that infiltrates systems and locks users out of their data unless they make some form of payment, some types can also exfiltrate a copy of the locked data to the hacker, or delete the data but make it seem as though it’s encrypted and still present-tricking the user into paying for data that is actually gone.
"In each scenario, you don’t know if there is intention to release the data if you pay or not. You may pay and still get nothing. Or you may get it back. There is no certainty to it. Some victims have gotten access back; others have not," says Goldstein, a former software developer and network administrator. "The general guidance from law enforcement, such as the FBI, is not to pay ransom. But if everything you have is locked out, you may not feel like you have a choice."
HHS guidance
In light of the increased prevalence of ransomware threats, the U.S. Department of Health and Human Services (HHS) recently released guidance to help covered entities understand the risks associated with these types of attacks and how complying with HIPAA can help identify, prevent, and recover from ransomware.
"The HHS is just reacting to what is happening in the marketplace. The sustained increase in the number of successful ransomware attacks is proof that the ransomware problem is going to get worse before it gets better. Issuing guidance is raising awareness of the issue at hand," Smith says.
The HHS guidance states that healthcare entities can better protect against ransomware by implementing security measures required by the HIPAA Security Rule. According to the guidance, these measures include limiting access to electronic protected health information (PHI) to personnel and software that require it; and conducting risk analyses to identify threats and vulnerabilities to PHI.
"You have to do the risk analysis. Ransomware is just another form of malware; it’s particularly insidious, but they all require doing the risk analysis," says Goldstein.
A big takeaway from the HHS guidance is the importance of taking appropriate actions beforehand to mitigate the potential of damage caused by ransomware, he adds. Unlike malware that simply transfers PHI without authorization, ransomware makes the PHI unavailable or destroys it altogether.
"For a healthcare provider in particular, having data exfiltrated means there’s damage to the patients, but likely not to their immediate health. Being locked out of your health data or your patients’ health data is a potential threat to the life and health of patients," he says.
HIPAA breaches
The guidance provides clarification on whether a ransomware infection constitutes a HIPAA breach. A breach under HIPAA is any acquisition, access, use, or disclosure of PHI in a manner that is not permitted under the HIPAA Privacy Rule and that compromises the PHI’s security or privacy.
Prior to the release of the HHS guidance, instances of data exposure that revealed individuals’ PHI would be considered a HIPAA breach, says Justin Jett, director of compliance and auditing at Plixer International, a Kennebunk, Maine-based security analytics company. However, at that point, one could have made the argument that ransomware wouldn’t technically be considered a breach since it encrypts data rather than exposing it.
Now, according to the new guidance, if a ransomware infection encrypts electronic PHI that was not encrypted prior to the incident, a breach has occurred. The guidance reasons that the PHI has been "acquired" because hackers have taken control or possession of it. In these cases, the hospital must then undertake a risk analysis and, when applicable, comply with the breach notification requirements and notify individuals affected, HHS, and the media.
However, if the hospital had previously (prior to the ransomware attack) encrypted the PHI in a manner that would render it unusable, unreadable, or undecipherable to an unauthorized individual, there is a possibility the ransomware attack wouldn’t be considered a breach.
"I interpret this guidance as removing the loophole of ransomware not actually looking at the data. Since malware changes over time, it’s within the realm of possibility that ransomware will target [PHI] and exfiltrate the data once found. The new guidance states that if the ransomware is unable to actually see the protected healthcare information in cleartext (not encrypted), then it is not a reportable breach," Smith says.
Even in these cases, the guidance says additional analysis would be required to determine if the PHI was sufficiently encrypted prior to the attack. Goldstein says this emphasizes the need for a risk analysis whenever there is a security incident. He further noted that HHS may have included this guidance so covered entities could not view the ransomware’s own encryption of the data as protection against that data being compromised.
"In those cases, the data is technically encrypted by virtue of the ransomware, but it’s not encrypted by the covered entity; it’s encrypted by someone else who controls that encryption. It shouldn’t be viewed as encryption for the purposes of your risk analysis," Goldstein says."
Prevention and recovery
To better prevent ransomware, Jett says all staff should be appropriately trained on email and web security as most malware and ransomware comes from those sources. Additionally, companies should invest in heightened email security solutions, like anti-spam firewalls, which will help prevent the most obvious attacks from getting to employees’ inboxes.
The HHS guidance suggests that since HIPAA requires the workforces of covered entities to receive security training on detecting and reporting malware, employees can assist with early detection of ransomware by spotting indicators of an attack. These warning signs could include unusually high activity in a computer’s CPU as the ransomware encrypts and removes files, or an inability to access files that have been encrypted, deleted, or relocated.
Even if hospitals are vigilant, ransomware attacks may still occur. Again, the guidance suggests that HIPAA compliance may help hospitals recover from ransomware attacks due to HIPAA’s mandate for frequent backups of data.
Goldstein warns, however, that some variants of ransomware can lie dormant for a period of time in order to migrate across systems, including into data backups. Many hospitals and companies keep hot backups as part of their disaster recovery plan. These backups can be automatically or manually switched on if a system goes down. If ransomware has infiltrated a backup, the backup’s data could also become compromised and encrypted by the ransomware as soon as it’s activated.
"The important thing about dealing with the impact of ransomware is that it may require additional or different protections compared to what other malware requires to avoid or mitigate its ill effects," he says.
Recent ransomware attacks
All types of malicious software attacks are on the rise,but ransomware has recently received more high-profile media coverage, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. "Ransomware has certainly gotten more coverage lately because of the potential damage, and the sophistication of some of these attacks has increased," he says.
The following are a few of the recent ransomware attacks that made headlines:
Hollywood Presbyterian Medical Center: In February, this Los Angeles hospital paid hackers the equivalent of $ 17,000 in bitcoins to regain access to its computer system, according to the Los Angeles Times. The malware prevented hospital staff from accessing their system for 10 days by encrypting its files; once the hospital paid the ransom, it was given a decryption key to unlock the files. In a statement, CEO Allen Stefanek said paying the ransom was the quickest way to restore the hospital’s systems.
Chino Valley Medical Center and Desert Valley Hospital: In March, hackers targeted these southern California hospitals by infiltrating their computer systems with ransomware. A spokesman for the two hospitals, which are part of Prime Healthcare Services, Inc., said technology specialists were able to limit the attacks so both hospitals remained operational, no data was compromised, and no ransom was paid.
MedStar Health: Also in March, this Columbia, Maryland-based system was targeted with ransomware that encrypted the system’s data. According to the Baltimore Sun, the hackers demanded that MedStar pay three bitcoins, worth approximately $ 1,250, to unlock a single computer, or 45 bitcoins, the equivalent of about $ 18,500, to unlock all of its computers. MedStar refused to pay the ransom, and staff at its 10 hospitals and more than 250 outpatient centers resorted to using paper records while system access was restored.
Kansas Heart Hospital: In May, hackers infected the network system of this Wichita hospital with ransomware. According to local CBS affiliate KWCH12, the hospital paid an undisclosed portion of the ransom demanded but the hackers refused to return full access and demanded a second payment. The hospital announced that it had refused to make the second payment and would work with its IT team and external security experts to restore access to the rest of the system.