There has been a ‘sea change’ with breaches of protected health information (PHI). OCR reported that HIPAA Privacy and Security breaches continue to rise, and estimates that more than 41 million people have had PHI compromised in breaches. OCR notes that the majority of reported incidents involved unauthorized access or disclosure, but cyber attacks are now a close second. The growing rate of cyber attacks has been significant in the last couple of years, as well as the variety of attacks. The most disturbing trend in cyber attacks involves Ransomware. A survey by the American Health Lawyers Association indicated that virtually all healthcare lawyers believe they will be involved with cyber security matters with their clients, and the threat will continue to increase within the next three years. Many lawyers surveyed expressed concern that they are ill-prepared to deal with an attack and trail behind other sectors of the economy.
The reason for the heightened concern is that Ransomware attacks have been growing as an Internet threat for more than a decade, and have only recently become prominent in the healthcare sector, which is considered a “soft target.” Many healthcare providers have been victimized by these types of attacks. Hospitals, in particular, are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can be delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in deaths and lawsuits.
Typically, Ransomware attacks involve a sophisticated computer virus that finds its way into a victim’s system, often when an unsuspecting employee opens an email attachment. The virus encrypts the system’s data, and attackers essentially hold the data hostage until the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. The attackers threaten to delete the private key needed to decrypt the files unless their ransom is met. Frequently, the problem is identified when employees find they can’t access files on a shared server. When checking on the problem, they find messages with instructions for paying to regain access to their information. Some recent examples of Ransomware attacks involve the following facilities:
- Keck Medicine of the University of Southern California
- Saint Francis Health System in Tulsa, Oklahoma
- Hollywood Presbyterian Medical Center in Los Angeles, California
- MedStar Health in the District of Columbia and Maryland
- Chino Valley Medical Center in Chino, California
- Desert Valley Hospital in Victorville, California
- Methodist Hospital in Louisville, Kentucky
The most recent major breach was a Ransomware attack on Marin Healthcare District’s nine medical care centers in California. Marin was hit with a virus that held its data hostage, resulting in loss of clinical information affecting 5,000 patients. Marin paid the ransom to regain access to the data, but the amount was not announced. News stories stated that the California Attorney General’s Office had been notified of 657 data breaches affecting a total of more than 49 million records of Californians in the prior four years. The health care sector accounted for 16 percent of the breaches. Malware and hacking presented the greatest threat, accounting for 54 percent of the breaches.
Last July, OCR released HIPAA guidance on Ransomware and restated existing guidelines for when breaches might involve Ransomware attacks. OCR noted that even though Ransomware attacks don’t usually result in data being exfiltrated, the HIPAA Breach Notification Rule still applies. As such, major fines may be applied in those cases.
Tips to deal with the threat
- Train employees to understand that software breaches often occur when an employee clicks on an email link or attachment, or responds to “phishing” inquiries.
- Focus security efforts on those files that are most critical, such as patient records.
- Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate or remediate these identified risks.
- Develop and implement policies and procedures on how to take precautions against malware.
- Limit access to PHI to people and programs that require such access.
- Maintain disaster recovery plans, emergency operations, and data backups to assist in restoring lost data in case of an attack.
- Configure email servers to block zip or other files that are likely to be malicious.
- Move quickly on any report of an attack to prevent the malware from spreading by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system.
- Restrict permissions to certain network areas by limiting the number of people accessing files on a single server, so that if a server gets infected, it won’t spread to everyone.