The threat of “Ransomware” has been growing at an enormous rate over the last few years. Many experts believe it to be one of the major income streams for organized cybercrime. Of all the target areas for Ransomware, healthcare is one of the most profitable. This trend will only increase as new attack software has far outstripped the industry’s response.
How does Ransomware work?
Ransomware is malicious software that is installed on one or more of your systems, usually by an innocent click of a staff member on an email containing an infected file or link. Once activated, the malware systematically encrypts files with a key only known to the attacker. It is usually intended to bring all operations to a halt and create an emergency situation that only the attacker can resolve. A ransom fee is demanded and, if paid, the key to decrypt the files is provided. Experts estimate that nearly 50% of healthcare organizations have been hit by Ransomware. The cost and disruption of a Ransomware attack can be significant, and although they rarely involve the direct release of PHI to the public, HHS Office of Civil Rights has ruled that Ransomware incidents are releases under the HIPAA Omnibus Rule and must be reported as a privacy breach.
So, although ransoms demanded in 2016 averaged only $679 per event, the costs of response, interruption to operations, damage to patient trust and public reporting burden, coupled with rising ransoms and increasing frequency of attacks, all point to a rapidly increasing risk for healthcare providers.
The biggest problem we face with Ransomware is its profitability. As a tool of extortion, it is very effective. Especially given the fractured international enforcement of cybercrime laws. Added to that is the problem that the healthcare industry lags behind other industries in deploying basic security controls. This means that healthcare organizations of all types are the “Low Hanging Fruit” that can provide a huge cash flow using automated hacking tools.
Despite headlines of large institutions being targeted, it is the smaller institutions that are at highest risk. Many smaller ransom payments add up quickly and by keeping ransom demands at a level that doesn’t break the bank they get less publicity (and effort from law enforcement).
Thus, small and medium-sized healthcare organizations are perfect targets because,
- They are completely reliant on continuous availability to their EHR and Practice Management Software
- They are often behind the curve on implementing effective cyber risk management
- They tend to overlook threats to business-critical IT services posed by ransomware during contingency and disaster recovery planning
- The combination of weak protection of the network, and inadequate backup, leaves most victims at the mercy of the extortion
As a result, a huge amount of money is getting extorted. With minimal risk of prosecution, we can anticipate a continuing epidemic of Ransomware targeting the healthcare industry.
What can we do about it?
The only thing that will change this trend is to decrease the likelihood of success through prevention. That means small and medium sized providers must step up their game when it comes to educating everyone about Ransomware, it’s prevention, and how to respond to it.
How do we fight the criminals?
There are three ways of stopping Ransomware and they all should be implemented. The first two are basic risk management controls that should be part of every institution’s cybersecurity program. The third will likely become core technology required to mitigate the risk of Ransomware.
- Good cyber infection controls
This means your anti-virus/anti-spam/anti-malware software is installed and maintained on all devices, including cell phones and tablets used in the workplace. It also means that you have tools, such as an Intrusion Protection System, to quickly identify and halt attacks, whether by email attachments or direct compromise of servers by hackers. Finally, it requires that all staff be trained in good computer hygiene and incident reporting.
- A tested disaster recovery plan that anticipates and addresses Ransomware
This means that data is backed up onto alternative media and cannot be encrypted by the Ransomware. The backups must occur frequently enough for you to be able to restore your operations from them without the benefit of the data that has been created since the last backup. And, it means that the backup restoration is tested and can be relied on to bring your operations back on line quickly.
- New technology that detects and stops the encryption
Vendors have created security software that detects common variants of current Ransomware. They are also developing tools that detect the behavior of Ransomware and can shut down processes that appear to misbehave until an operator can assess the situation. There are various evolving technologies that hopefully will be effective in curbing Ransomware.
Where to start?
Ongoing Risk Management is a requirement. It needs to factor in the increasing threat from Ransomware. It also needs to evaluate the effectiveness of protective controls, and it needs to keep on top of the contingency planning process to ensure that you are not left at the mercy of a cybercriminal in the event of a Ransomware attack.
This is not a situation to be taken lightly. Ransomware can expose your business to an existential threat. Remember, the extortionists can always take your money and fail to deliver the key. They may even ask for more ransom. This threat will only increase, so now is the time to get serious and make Security Risk Management and Ransomware preparedness a core part of your business plan.
Eric Hummel, CTO
As we discussed it Part 1 of this Blog becoming secure and compliant doesn’t have to be overwhelming or cost-prohibitive. There are several software solutions to guide your project and allow you to focus on only what you really need to do. This can make being HIPAA compliant a cost effective and potentially revenue enhancing initiative. So what steps should you take right now?
At a minimum you should complete basic HIPAA HITECH security activities to minimize risks and be prepared to respond to business partners and new customer requests. This means completing at least the following:
- Risk Assessment to understand where PHI is stored and used, identify critical technology risks that must be controlled and understand what mitigating actions need to be taken.
- Gap Analysis to prioritize remediation activities and develop a work plan to systematically close identified requirement gaps
- Workplan to have a plan and strategy so progress can be measured and tracked
- Remediate Critical Risks and Implement Mitigating Controls to reduce risk and implement a secure and protected environment. Key activities include:
- Develop and implement core security and privacy policies and procedures.
- Implement ongoing monitoring tools to secure your technology, networks and physical environments
- Develop Core Risk Management Plans including
- Incident Response
- Contingency/ Business Continuity
- Physical Security
- Conduct workforce training to ensure staff understand what security risks exist and what actions every staff member must do daily to maintain a secure environment.
The other key initiative to reduce risk is to ensure you have Business Associate Agreements (BAAs) in place with any organization you exchange PHI with. Here are some quick Business Associate Agreement best practices:
- Single Repository: Your organization should have one place where all executed Business Associate Agreements are stored. There should also be a master list of all organizations you receive, transfer and/or store PHI data with.
- Good Contracting Practices: If your organization receives a Business Associate Agreement for signing, ensure that it has been reviewed by your attorney beforehand. Small changes can have significant consequences in these agreements.
- Due Diligence: When entering into a new business associate or subcontractor relationship, ask two important questions about their HIPAA preparedness. Have they done a risk assessment in the last year; and who in the organization will be the Chief Compliance Officer? Remember, you have an obligation to end the transfer of PHI to any organization you have reason to believe is not able to safeguard the data.
- Audit: Review your Business Associate Agreements at least once a year. Also, look at all vendors you do not have Business Associate Agreements with and make sure you are not transferring PHI with these organizations.
In summary, the time for taking effective steps to secure protected health information is now. Debt buyers, medical billers and debt collectors are coming under the microscope of regulators and business partners and must be able to demonstrate their safeguard protocols. As businesses and consumers become ever more computer savvy and as large data breaches are announced frequently, they are already asking “is my Personal Healthcare Information data secure and do you follow good security and privacy practices?” As technology advances and interoperability becomes more prevalent, standards to do business in this environment will be increased.
When Can You Accurately Say You Are HIPAA Compliant?
Technology is rapidly changing and as healthcare providers and vendors to the medical profession, we must all recognize our roles in the safekeeping of our patient’s health information in a world of ever increasing threats to the security of that data. Business Associates like Billing and Collection companies, Application Developers and Data Analytics Companies must be compliant with the HIPAA HITECH regulations. We must ensure the security and privacy of personal health information (PHI) and fully comply with the HIPAA HITECH requirements.
If you handle PHI, you are a business associate and must comply with all the HIPAA HITECH requirements including critical items like performing periodic risk assessments, documenting and implementing security and privacy policies and procedures, conducting HIPAA awareness training, and regularly testing disaster recovery and business continuity plans. But you may ask: “should I worry if I’m not compliant? Could my business operations be disrupted by a data breach? Am I prepared if, my customers and partners require me to be HIPAA compliant?” The answers to all of these should be an unqualified Yes.
The risks are real and they need to be managed. Here are just a few:
- There has been years of underinvestment in technology (especially security) in both the healthcare and medical billing/collections industries
- Healthcare records contain large amounts of personal information
- Mass digitization of patient data has greatly increased attack opportunities
- The value to thieves of a healthcare data record is 50 times that of a credit card record
- Mobile devices have become the primary computing vehicle increasing the potential for lost and theft
A KPMG study reported that 81% of healthcare organizations have been hit with a breach in the last two years. Some speculate that number could be even higher given that there could be some data breaches that remain undetected or go unreported. Furthermore, over 50% of respondents believe healthcare related organizations will remain the industry most at risk in 2017. What do you think is the largest privacy and security threat in your organization?
Most business associates have similar gaps. Do these sound like what your organization looks like?
- Incomplete or out-of-date risk assessment;
- Missing security and privacy policies and procedures;
- Limited or no HIPAA awareness training;
- Untested disaster recovery plans;
- Ad hoc data breach incident response;
- Limited or no encryption of PHI; and
- Unmonitored access controls.
Being HIPAA HITECH compliant can pay dividends to your organization. It can help you generate more revenue and increase new potential business opportunities. If you haven’t already noticed, more and more business partners are asking, are you HIPAA compliant? Many will not work with you if you can’t answer affirmatively to that simple question. Being HIPAA compliant can also be a business development differentiator; reduce the impact of a costly lawsuit over PHI mishandling or access; prevent reputational damage and consumer mistrust; and minimize potential fines from breaches and audits.
While not easy by any standard, becoming secure and compliant doesn’t have to be over whelming or cost prohibitive. This investment will pay for itself many times over. Part 2 of this Blog will show you what you need do. So get ahead of the curve. Bottom line…It pays to be HIPAA compliant!
When Can You Accurately Say You Are HIPAA Compliant?
The Gatak Trojan strikes again! Only this time the PHI-stealing malware from 2011 is targeting the healthcare data.
Symantec researchers warned recently that this piece of malware—built to steal important information and perform backdoor functions—is specifically infecting enterprise networks. And it’s primary target: The healthcare sector. Forty percent of the top 20 most affected organizations are from healthcare, according to the data security firm.
Also known as Stegoloader, the Gatak Trojan spreads through websites promising licensing keys for pirated software. The keys don’t work and users end up infected. In addition, the Gatak Trojan can move across healthcare networks by exploiting weak passwords and poor security in file shares and network drives.
By concealing bad files within files, cybercriminals perform healthcare attacks to expose medical records, said one Trend Micro analyst. While Symantec is unsure of how the attackers behind the Gatak Trojan are monetizing their attacks, the data security firm suggests it could be selling the personally identifiable information and other data they manage to pick up from the infected network.
This is why healthcare is especially susceptible to network breaches. With limited IT budgets and resources, and records that are rich in data and higher priced than any other information—the healthcare sector is likely to see more of this activity. Data security needs to move front and center as a healthcare priority. Many healthcare organizations could benefit from continued education and understanding of information system risks through annual security and privacy training.
For more information on how your organization can take advantage of subsidized annual security awareness training, click here.
Timely Healthcare Data Breach Notification
» Changes to HIPAA went into effect February 5, 2016.
» Covered entities will now be permitted to report “mental health prohibitors” to the NICS.
» This reporting was previously barred by HIPAA without a patient’s authorization.
» The determinations to prompt disqualification on mental health grounds are made almost exclusively by organizations not bound by HIPAA.
» It is anticipated these changes to HIPAA will have very little impact on covered entities.
Adam Bullian (firstname.lastname@example.org) is Director of Privacy Compliance and Operations with QIP Solutions in Washington DC.
Click Here to Download Compliance Today – Gun Control Debate Prompts HIPAA Change Article