Ransomware a Growing Threat to Health Systems

Ransomware, which is expanding at a rapid rate, has crippled several hospital systems and hurt patient care, warranting close attention and proper steps to address these concerns, according to a presentation during the HIMSS17 meeting.

Prevention and mitigation of these risk are possible, using an appropriate cybersecurity framework. It is important that the system put in place to protect against ransomware should also be customized, based on the hospital system, as it is not a one-size-fits-all solution. Additionally, training of all staff is key to preventing an event.

"Evaluate which prevention measures are appropriate for your environment in light of the risks presented," said Brian Balow, JD, Member, Dawda Mann PLC, during the presentation. "It must be a customized approach. It can't be tossed together based on what worked for someone else."

Ransomware gains access to health data and blocks the organization from getting into its own system unless a "ransom" is paid. In most cases, these attacks gain access to protected health information (PHI) on patients, and threaten to leak this information, which could cause broader implications or fines from the Office of Civil Rights (OCR).

Ransomware is becoming more prevalent, with a milestone publicity event at the Hollywood Presbyterian Medical Center in February 2016. In this situation, the ransom was $16,664 (which was paid as 40 bitcoins). After this event, there were several more incidences in 2016, with a growing frequency. In fact, hospitals are the primary target for ransomware attacks, with Experian anticipating a ramp up in the attacks in 2017. According to reports, ransomware has now become a billion-dollar business.

"Ransomware is really exploding—ransomware as a service. It has become an industry in and of itself. They develop it and then they sell it," said Balow. "This is really an unintended byproduct of the Affordable Care Act, with its information technology and data requirements."

In a poll of the audience, more than 50% of the attendees reported experiencing a ransomware attack at their institution. Moreover, they noted that in over 60% of attacks the target is people and patient records not the technology. The audience consisted of an array of C-suite executives and Chief Medical Officers/Physicians.

"The prevalence of this is much higher than what we read in the press," noted Balow. Many breaches go unreported or unnoticed, he added.

These attacks can enter the system through several means, including suspicious emails, often with subjects about HIPAA audits. Other techniques include brute force hacking, various types of phishing emails, infected downloads, vulnerable web servers, and web-based instant messaging applications.

"If you're using third party technologies, we don't know what they're doing. We need to be aware of what the staff are doing," Tatiana Melnik, JD, Attorney, Melnik Legal PLLC, said during the presentation. "We often find that staff are using services like Dropbox, without anyone knowing it is being used—and now that PHI can be anywhere."

Melnik, a lawyer practicing in Florida, noted that not all ransomware incidences need to be reported to the OCR. If an event occurs, the next steps should be customized based on the type of ransomware used and the data that was accessed. However, in the views of the OCR, every event should be reported.

The OCR will not always pursue action when there is a breach; however, to date, there have been more than $30 million in settlements related to PHI leaks. Some of these settlements were related to a lack of timely notification of the breach, so action is required quickly if there is a reportable incidence.

"Bottom line is that it comes down to a business decision. What are the risks, and are you comfortable with the decision," said Melnik. "Many people will just report, to avoid the risks of the OCR investigating." The enforcement environment is extremely complex, she added. In addition to the OCR, if there is a report, it could potentially be a tidal wave of lawsuits, depending on the data that was breached.

In the case of a breach, Melnik and Balow recommended first contacting the security officer, who would then contact internal or external technical security. They recommended bringing in a legal counsel as the third step in the process, followed by initiating redundant systems, if available.

After these steps were in place, an investigation on the scope of encrypted data released should begin, to determine if the incidence needs to be reported. If needed, forensic resources should be engaged and law enforcement should be contacted, preferentially the FBI for larger leaks, the speakers recommended. "Local law enforcement is not equipped for this type of issue," Balow noted.

In addition to knowing the information that was leaked, it is also extremely important to know what is covered under your insurance policy. Before contacting insurance, Melnik advised being acutely aware of all the details within the insurance policy. "It can be very complicated," Balow said. "You need someone qualified to discuss the ins-and-outs of these conditions."

Importantly, they noted that following a breach, all communication should be done over the phone or in person. Email blasts should be avoided and other files should not be opened, to avoid spreading the virus. Although payment might be unavoidable, it should not be pursued immediately. Payment should only be issued after a thorough assessment.

"If you're going to pay, you better be sure it isn't going to happen again," Balow cautioned. "At this point, you're an easy target."