Ransomware Paralyzing Healthcare Organizations and Forcing High HIPAA Fines

Imagine having to run a doctor's office, hospital or pharmacy with no access to your computer files. That happened to a pharmacy in Eureka Springs earlier this year when it was hit by ransomware, a type of malicious computer code designed to block access to a computer system until a ransom payment is made. It was several days before the pharmacy was able to fill prescriptions again.

Healthcare organizations such as clinics and hospitals have more to be concerned about than just having to pay a ransom or not being able to do business while the problem is resolved. There are also ramifications from violating HIPAA regulations by breaching confidential Electronic Health Records, said Britton White, Fortified Health Security, Franklin, Tenn. Fines can range from $50 to $50,000 per breach, with some hospitals ending up paying millions of dollars.

"My advice is, number one, you must have a good team in place from an IT, IT security, and compliance perspective," White said. "If your leadership doesn't care about security, HIPAA, backing up their data, and appropriating the proper funds to help secure and insulate their business operations, then they are at tremendous risk for a breach and the associated repercussions sooner rather than later. Ransomware is definitely becoming more of a problem and it is going to get worse until people in leadership start taking this seriously."

Security training and awareness are critical. Employees need to understand what e-mail phishing is. White also said it is important to make sure that your critical data is backed up often and offsite. Make sure your data is encrypted.

People in the organization must be trained to "think before you click" avoiding hyperlinks in suspicious emails, social network messages and instant messages.

In addition to training components, there are technical components.

"From the technical side, you have to make sure the spam filter is where it needs to be from a security perspective," White said. "And then going back to HIPAA, there is an administrative component, as well, that not properly addressed can negatively impact your organization."

When there is a breach, the organization has to prove to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) that the data has not been changed, exfiltrated or removed from your network.

"The FBI recommends not paying the ransom because you don't know if you are even going to get your data back," White said. "If you do, what changes have been made? There are some digital forensics that can be done, but it depends on the technology in place to track the movement of the data. And even if you get your data back, you don't know if the perpetrator kept a copy of it. So paying the ransom offers zero guarantees."

White said a common mistake is not patching software. One version of the software comes out, and then another version is released to address exploitable weaknesses.

"If you stay on version one, you still have the exposure," White said. "When you don't patch your software, you are putting yourself and your organization at greater risk for exploits for which there are no cures."

There can be difficulties doing software updates. Perhaps software is running a critical hospital application that can't be out of service for any period of time for that server to be patched. And what if the server doesn't reboot properly? How will that impact patient care?

HIPAA requires hospitals and other healthcare organizations conduct risk assessments. That is a core offering of Fortified Health Security.

"We test administrative, physical, and technical controls, among other things, while conducing our onsite risk assessments," he said.

White regularly looks at reports from the OCR. That allows him to see what breaches have been reported and the possible ways the computer system was infiltrated.

"I did that one day and recognized a practice name I had worked with a number of years back," White said. "They had gotten hit by ransomware. Their data backup onsite was also encrypted so it couldn't be accessed. I called them and basically what happened is they were on a different EHR but used gloStream for historical purposes. In order for people to access gloStream historical data, they had to have administrative privileges. Because of that level of access, an attacker was not only able to encrypt the gloStream database, they were also able to encrypt the backup data because the backup data was stored onsite. They have to go through the breach notification process, and are potentially looking at tens of thousands of dollars to notify their patients of the breach."

White said he doesn't know how they can run their business without access to any of that historical data.

"So you are talking not only about their business survival, but more importantly, do they have any patients at risk not just from an identification perspective, but from a healthcare perspective?" he asks. "For example, if a patient is dealing with cancer or multiple chronic illnesses, how is their physician going to treat them without access to that historical data?"

White advised against providing administrative privileges or any higher level of access than what users need in order to accomplish their daily tasks. The problem with gloStream was they required all users to have administrative privileges to access the database. "For all users to have administrative privileges creates a terrible security issue," he said.

Attorney General Suggests Steps to Prevent Ransomware Attacks

It used to be computer viruses were the biggest threat to a healthcare provider's computer system. But today providers may have more to fear from ransomware, a term for malicious code that infiltrates the computer system and encrypts the data only allowing the tools to decrypt the data after a ransom is paid.

Ransomware is happening more and more, said Judd P. Deere, communications director for the Arkansas Attorney General's office.

"The Attorney General urges anyone who has become a victim to contact their office and report it," Deere said. The phone number is 501-682-2007.
The Attorney General's office offers the following advice to avoid becoming a victim:

First and foremost, be sure to back up your most important files often (multiple times a day), and offsite. Do not retain backup data connected to your network at your facility. Be certain it's copied offsite.
Personalize your anti-spam settings the right way.
Refrain from opening attachments that look suspicious.
Validate the e-mail address of the person who sent you the e-mail by ensuring the domain name doesn't have any letters switched around, that it's the correct domain name.
Think twice before clicking. Dangerous hyperlinks can be received via social networks or instant messengers, and the senders are likely to be people you trust, including your friends or colleagues. You can check a hyperlink's address by hovering over the link
Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date.
In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection (unplug your CAT 5/6 cable connection if you have one).
Keep the Windows firewall turned on and properly configured at all times.
Enhance your protection more by setting up additional firewall protection.
Adjust your security software to scan compressed or archived files, if this feature is available.
Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.).
Install a browser add-on to block popups since they can also pose an entry point for ransom Trojan attacks.
Use strong passwords that cannot be brute-forced by remote criminals.
Deactivate AutoPlay.
Make sure you disable file sharing.
Switch off unused wireless connections, such as Bluetooth or infrared ports.
Block known malicious Tor IP addresses.