Ransomware Paralyzing Healthcare Organizations and Forcing High HIPAA Fines
By BECKY GILLETTE
Imagine having to run a doctor's office, hospital or pharmacy with no access to your computer files. That happened to a pharmacy in Eureka Springs earlier this year when it was hit by ransomware, a type of malicious computer code designed to block access to a computer system until a ransom payment is made. It was several days before the pharmacy was able to fill prescriptions again.
Healthcare organizations such as clinics and hospitals have more to be concerned about than just having to pay a ransom or not being able to do business while the problem is resolved. There are also ramifications from violating HIPAA regulations by breaching confidential Electronic Health Records, said Britton White, Fortified Health Security, Franklin, Tenn. Fines can range from $50 to $50,000 per breach, with some hospitals ending up paying millions of dollars.
"My advice is, number one, you must have a good team in place from an IT, IT security, and compliance perspective," White said. "If your leadership doesn't care about security, HIPAA, backing up their data, and appropriating the proper funds to help secure and insulate their business operations, then they are at tremendous risk for a breach and the associated repercussions sooner rather than later. Ransomware is definitely becoming more of a problem and it is going to get worse until people in leadership start taking this seriously."
Security training and awareness are critical. Employees need to understand what e-mail phishing is. White also said it is important to make sure that your critical data is backed up often and offsite. Make sure your data is encrypted.
People in the organization must be trained to "think before you click" avoiding hyperlinks in suspicious emails, social network messages and instant messages.
In addition to training components, there are technical components.
"From the technical side, you have to make sure the spam filter is where it needs to be from a security perspective," White said. "And then going back to HIPAA, there is an administrative component, as well, that not properly addressed can negatively impact your organization."
When there is a breach, the organization has to prove to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) that the data has not been changed, exfiltrated or removed from your network.
"The FBI recommends not paying the ransom because you don't know if you are even going to get your data back," White said. "If you do, what changes have been made? There are some digital forensics that can be done, but it depends on the technology in place to track the movement of the data. And even if you get your data back, you don't know if the perpetrator kept a copy of it. So paying the ransom offers zero guarantees."
White said a common mistake is not patching software. One version of the software comes out, and then another version is released to address exploitable weaknesses.
"If you stay on version one, you still have the exposure," White said. "When you don't patch your software, you are putting yourself and your organization at greater risk for exploits for which there are no cures."
There can be difficulties doing software updates. Perhaps software is running a critical hospital application that can't be out of service for any period of time for that server to be patched. And what if the server doesn't reboot properly? How will that impact patient care?
HIPAA requires hospitals and other healthcare organizations conduct risk assessments. That is a core offering of Fortified Health Security.
"We test administrative, physical, and technical controls, among other things, while conducing our onsite risk assessments," he said.
White regularly looks at reports from the OCR. That allows him to see what breaches have been reported and the possible ways the computer system was infiltrated.
"I did that one day and recognized a practice name I had worked with a number of years back," White said. "They had gotten hit by ransomware. Their data backup onsite was also encrypted so it couldn't be accessed. I called them and basically what happened is they were on a different EHR but used gloStream for historical purposes. In order for people to access gloStream historical data, they had to have administrative privileges. Because of that level of access, an attacker was not only able to encrypt the gloStream database, they were also able to encrypt the backup data because the backup data was stored onsite. They have to go through the breach notification process, and are potentially looking at tens of thousands of dollars to notify their patients of the breach."
White said he doesn't know how they can run their business without access to any of that historical data.
"So you are talking not only about their business survival, but more importantly, do they have any patients at risk not just from an identification perspective, but from a healthcare perspective?" he asks. "For example, if a patient is dealing with cancer or multiple chronic illnesses, how is their physician going to treat them without access to that historical data?"
White advised against providing administrative privileges or any higher level of access than what users need in order to accomplish their daily tasks. The problem with gloStream was they required all users to have administrative privileges to access the database. "For all users to have administrative privileges creates a terrible security issue," he said.
For more information, go online to: