Avoid HIPAA breaches from ransomware attacks
Although ransomware is not a new phenomenon, a recent increase in reported attacks along with several well-publicized cases have raised the public’s awareness of the threat it poses. Ransomware, a variety of malware, can be incredibly damaging because it is designed to infect a system, find and encrypt the system’s data, and lock out users until they pay a ransom–typically in an anonymous electronic currency like bitcoin–to regain access through a decryption key.
According to a U.S. government interagency report, there have been approximately 4,000 ransomware attacks each day since the beginning of the year, up from the 1,000 daily attacks reported last year. Further, a recent analysis by managed security services provider Solutionary found that 88% of ransomware attacks during the second quarter of this year targeted healthcare entities.
"Hospitals rely on data systems not only for the survival of their business, but the survival of their patients. Because of this, the perceived value of the data becomes much greater, meaning the criminals can charge premium ransoms against their victims," says Travis Smith, senior security research engineer at Tripwire, a Portland, Oregon-based cybersecurity firm.
The variants of ransomware that exist can complicate a hospital or other healthcare provider’s response, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. In addition to the typical form of ransomware that infiltrates systems and locks users out of their data unless they make some form of payment, some types can also exfiltrate a copy of the locked data to the hacker, or delete the data but make it seem as though it’s encrypted and still present-tricking the user into paying for data that is actually gone.
"In each scenario, you don’t know if there is intention to release the data if you pay or not. You may pay and still get nothing. Or you may get it back. There is no certainty to it. Some victims have gotten access back; others have not," says Goldstein, a former software developer and network administrator. "The general guidance from law enforcement, such as the FBI, is not to pay ransom. But if everything you have is locked out, you may not feel like you have a choice."
HHS guidance
In light of the increased prevalence of ransomware threats, the U.S. Department of Health and Human Services (HHS) recently released guidance to help covered entities understand the risks associated with these types of attacks and how complying with HIPAA can help identify, prevent, and recover from ransomware.
"The HHS is just reacting to what is happening in the marketplace. The sustained increase in the number of successful ransomware attacks is proof that the ransomware problem is going to get worse before it gets better. Issuing guidance is raising awareness of the issue at hand," Smith says.
The HHS guidance states that healthcare entities can better protect against ransomware by implementing security measures required by the HIPAA Security Rule. According to the guidance, these measures include limiting access to electronic protected health information (PHI) to personnel and software that require it; and conducting risk analyses to identify threats and vulnerabilities to PHI.
"You have to do the risk analysis. Ransomware is just another form of malware; it’s particularly insidious, but they all require doing the risk analysis," says Goldstein.
A big takeaway from the HHS guidance is the importance of taking appropriate actions beforehand to mitigate the potential of damage caused by ransomware, he adds. Unlike malware that simply transfers PHI without authorization, ransomware makes the PHI unavailable or destroys it altogether.
"For a healthcare provider in particular, having data exfiltrated means there’s damage to the patients, but likely not to their immediate health. Being locked out of your health data or your patients’ health data is a potential threat to the life and health of patients," he says.
HIPAA breaches
The guidance provides clarification on whether a ransomware infection constitutes a HIPAA breach. A breach under HIPAA is any acquisition, access, use, or disclosure of PHI in a manner that is not permitted under the HIPAA Privacy Rule and that compromises the PHI’s security or privacy.
Prior to the release of the HHS guidance, instances of data exposure that revealed individuals’ PHI would be considered a HIPAA breach, says Justin Jett, director of compliance and auditing at Plixer International, a Kennebunk, Maine-based security analytics company. However, at that point, one could have made the argument that ransomware wouldn’t technically be considered a breach since it encrypts data rather than exposing it.
Now, according to the new guidance, if a ransomware infection encrypts electronic PHI that was not encrypted prior to the incident, a breach has occurred. The guidance reasons that the PHI has been "acquired" because hackers have taken control or possession of it. In these cases, the hospital must then undertake a risk analysis and, when applicable, comply with the breach notification requirements and notify individuals affected, HHS, and the media.
However, if the hospital had previously (prior to the ransomware attack) encrypted the PHI in a manner that would render it unusable, unreadable, or undecipherable to an unauthorized individual, there is a possibility the ransomware attack wouldn’t be considered a breach.
"I interpret this guidance as removing the loophole of ransomware not actually looking at the data. Since malware changes over time, it’s within the realm of possibility that ransomware will target [PHI] and exfiltrate the data once found. The new guidance states that if the ransomware is unable to actually see the protected healthcare information in cleartext (not encrypted), then it is not a reportable breach," Smith says.
Even in these cases, the guidance says additional analysis would be required to determine if the PHI was sufficiently encrypted prior to the attack. Goldstein says this emphasizes the need for a risk analysis whenever there is a security incident. He further noted that HHS may have included this guidance so covered entities could not view the ransomware’s own encryption of the data as protection against that data being compromised.
"In those cases, the data is technically encrypted by virtue of the ransomware, but it’s not encrypted by the covered entity; it’s encrypted by someone else who controls that encryption. It shouldn’t be viewed as encryption for the purposes of your risk analysis," Goldstein says."
Prevention and recovery
To better prevent ransomware, Jett says all staff should be appropriately trained on email and web security as most malware and ransomware comes from those sources. Additionally, companies should invest in heightened email security solutions, like anti-spam firewalls, which will help prevent the most obvious attacks from getting to employees’ inboxes.
The HHS guidance suggests that since HIPAA requires the workforces of covered entities to receive security training on detecting and reporting malware, employees can assist with early detection of ransomware by spotting indicators of an attack. These warning signs could include unusually high activity in a computer’s CPU as the ransomware encrypts and removes files, or an inability to access files that have been encrypted, deleted, or relocated.
Even if hospitals are vigilant, ransomware attacks may still occur. Again, the guidance suggests that HIPAA compliance may help hospitals recover from ransomware attacks due to HIPAA’s mandate for frequent backups of data.
Goldstein warns, however, that some variants of ransomware can lie dormant for a period of time in order to migrate across systems, including into data backups. Many hospitals and companies keep hot backups as part of their disaster recovery plan. These backups can be automatically or manually switched on if a system goes down. If ransomware has infiltrated a backup, the backup’s data could also become compromised and encrypted by the ransomware as soon as it’s activated.
"The important thing about dealing with the impact of ransomware is that it may require additional or different protections compared to what other malware requires to avoid or mitigate its ill effects," he says.
Recent ransomware attacks
All types of malicious software attacks are on the rise,but ransomware has recently received more high-profile media coverage, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. "Ransomware has certainly gotten more coverage lately because of the potential damage, and the sophistication of some of these attacks has increased," he says.
The following are a few of the recent ransomware attacks that made headlines:
Hollywood Presbyterian Medical Center: In February, this Los Angeles hospital paid hackers the equivalent of $ 17,000 in bitcoins to regain access to its computer system, according to the Los Angeles Times. The malware prevented hospital staff from accessing their system for 10 days by encrypting its files; once the hospital paid the ransom, it was given a decryption key to unlock the files. In a statement, CEO Allen Stefanek said paying the ransom was the quickest way to restore the hospital’s systems.
Chino Valley Medical Center and Desert Valley Hospital: In March, hackers targeted these southern California hospitals by infiltrating their computer systems with ransomware. A spokesman for the two hospitals, which are part of Prime Healthcare Services, Inc., said technology specialists were able to limit the attacks so both hospitals remained operational, no data was compromised, and no ransom was paid.
MedStar Health: Also in March, this Columbia, Maryland-based system was targeted with ransomware that encrypted the system’s data. According to the Baltimore Sun, the hackers demanded that MedStar pay three bitcoins, worth approximately $ 1,250, to unlock a single computer, or 45 bitcoins, the equivalent of about $ 18,500, to unlock all of its computers. MedStar refused to pay the ransom, and staff at its 10 hospitals and more than 250 outpatient centers resorted to using paper records while system access was restored.
Kansas Heart Hospital: In May, hackers infected the network system of this Wichita hospital with ransomware. According to local CBS affiliate KWCH12, the hospital paid an undisclosed portion of the ransom demanded but the hackers refused to return full access and demanded a second payment. The hospital announced that it had refused to make the second payment and would work with its IT team and external security experts to restore access to the rest of the system.
Exciting updates: More content, tools, and news at your fingertips!
The challenges healthcare professionals tackle each day don’t wait for solutions, and neither should you. That’s why Credentialing & Peer Review Legal Insider (CPRLI) is transitioning to a more frequent and robust publishing model this fall by combining with the Credentialing Resource Center (CRC)’s flagship publication, Credentialing Resource Center Journal (CRCJ), to create a single source for all your credentialing, privileging, peer review, and legal news, tools, and best practice strategies.
Your updated member benefits gain you access to expanded content and tools on CRC–with new resources added weekly to the website (www.credentialingresourcecenter.com). Plus, as a CRC member you gain instant access to over 300 clinical privilege white papers, core privileging forms, Medical Staff Talk, and Credentialing Resource Center Daily (CRCD), CRC’s daily e-newsletter for medical staff leaders and MSPs. If you are already a CRC member, you will continue to receive the news and analysis you’ve come to rely on, plus expanded member benefits this fall.
To help readers keep tabs on available content, we will announce new articles in CRCD. At the end of each month, we’ll roll the corresponding weekly articles into a digital issue of the newly expanded 16-page CRCJ that mirrors the current digital format. As a member of CRC, you can continue to download and print high-quality PDFs of the current issue, as well as several years of back issues of CRCJ and CPRLI, directly from CRC’s website. We’re looking forward to delivering your peer review and credentialing guidance in a timelier, efficient, and more convenient manner.
Stay tuned for additional details as we near implementation. In the meantime, feel free to contact Editor Son Hoang at [email protected] with any questions.
Case summary
Maine supreme court upholds immunity for CVO questionnaire
The Supreme Judicial Court of Maine (the "Court") upheld a superior court’s ruling granting immunity to two physicians who provided negative comments regarding a third physician when they responded to a questionnaire from a credentials verification organization (CVO).
The decision stems from a dispute where Kevin F. Strong, MD, sought damages from Rebecca M. Brakeley, MD, and Jonathan M. Bausman, MD, alleging defamation and tortious interference with his business relationship with St. Mary’s Regional Medical Center in Lewiston, Maine.
In 2013, Strong applied for staff privileges at St. Mary’s, which reached out to its contracted CVO, Synernet, to collect, verify, and dispense Strong’s credentialing information. Synernet sent professional reference questionnaires to Brakeley and Bausman, who completed and returned them. Synernet forwarded the responses to St. Mary’s, which ultimately chose to deny staff privileges to Strong. Strong subsequently filed his complaint in the superior court against Brakeley and Bausman, claiming the denial was a result of negative comments in their questionnaires.
In court, Brakeley and Bausman argued that their statements were entitled to absolute immunity pursuant to Section 2511 of the Maine Health Security Act and filed a motion for summary judgment. The superior court granted the motion, and Strong appealed.
Strong made several arguments for why Brakeley and Bausman’s statements didn’t meet the criteria for immunity, but the Court rejected his interpretation of the statute.
In its decision to affirm the superior court’s summary judgment, the Court discussed the language of Section 2511 and its three subsections, which outline the circumstances when a physician is afforded immunity from civil liability, and why Strong’s interpretation was incorrect.
Central to Strong’s argument was Subsection 3 of the statute, which states that physicians "assisting the board, authority, or committee in carrying out any of its duties or functions provided by the law" are afforded immunity. Strong argued that Synernet was not a board, authority, or committee and therefore Brakeley and Bausman were not immune. However, the Court interpreted that subsection to include professional competence committees, which the Maine Health Security Act defines to include "[e]ntities and persons, including contractors, consultants, attorneys and staff, who assist in performing professional competence review activities."
Since St. Mary’s contracted with Synernet to collect, verify, and dispense credentialing information for its competence review process, the Court concluded Synernet qualified as a professional competence committee and therefore was a board, authority, or committee pursuant to the statute.
Strong also interpreted the language of Subsection 3 to mean that it only provided protection to a physician if he or she was a member of the board, authority, or committee. The Court found this interpretation illogical as it twisted the meaning of the subsection from protecting the acts of the physician providing assistance to instead protecting the committee receiving the assistance.
Source:
Strong v. Brakeley, Docket No. And-15-260 (Me. Apr. 21, 2016).