Health Care an Increasingly Common Ransomware Target

Bryce Matsuoka

Data Breaches: A Guide to Prevention and Recovery

An e-mail with an infection is sent to a hospital. Only one of what could be hundreds of staff members needs to be hooked and open the malware-infected phishing e-mail. And then, kaboom!

All hospital computers are frozen, with their data encrypted and locked up for 10 days, until hospital executives agree to pay a $17,000 ransom for a key to unlock the hacker’s encryption of their electronic records.

Sound like a Hollywood movie? It did happen in Hollywood this year—but not at a movie studio. It actually took place at Hollywood Presbyterian Medical Center.

HEALTH-CARE RANSOMWARE ON THE RISE

Disasters come in all shapes and sizes—and unfortunately, an increasingly common disaster that physicians, practices, and hospitals must prepare for and respond to are data breaches. Health-care data hacks are on the rise. And more specifically, attacks using ransomware to monetize targeted network intrusions.

  • The Office of Civil Rights reported 253 health-care data breaches in 2015 with a combined loss of 112 million records.
  • Of the top 10 breaches, the top six affected at least 1 million people.
  • The worst breach last year, Anthem Blue Cross, involved 78+ million records hacked.
  • Smaller medical clinics are not immune either. In July, an undisclosed ransomware strain hit a Colorado-based allergy clinic. Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR) divulged details of what appears to be a ransomware infection that may have directly affected systems containing electronic protected health information (ePHI) of almost 7,000 patients, including patients’ names, medical test results, and Social Security numbers.1

At the end of last year, Garry McCracken, Vice President of Technology at WinMagic Data Security, told Forbes that 2015 “was the year of the health-care breach.” And this year continues the trend. Studies show that data breaches cost the health-care industry $5.6 billion a year.

The average cost per record lost or stolen in 2015 for all US businesses was $217, with health care leading all industries at $398 per record, according to Ponemon Institute’s 10th annual Cost of Data Breach 2015 study. A breach, as Ponemon defines it, puts at risk an individual’s name—plus a Social Security number and/or medical record, financial record, or debit card.These could be in either electronic or paper format. The study identified three main causes of data breaches:

  • Malicious or criminal attack: 49 percent
  • System glitch: 32 percent
  • Human error: 19 percent, including lost or stolen hardware

And the trend is getting worse.One US patient record in three is predicted to be breached in 2016.

WHY TARGET HEALTH CARE?

Why target patient records? Because of the money. The most valuable personal information on the black market is not a social security number. It’s not a credit card number. It’s not a driver’s license. The hottest information is a person’s medical record, which sells for as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry.”

The reason? Think opposite of the Hippocratic oath. Medical records can do more harm.Thieves sell them to scam the system for illegal health services and prescriptions.

And crooks know that ransomware attacks against a hospital or health-care system puts health and lives at risk, which means criminals have more chance to get a quick payment to restore operations and restore safety—not to mention regain a positive public image and reputation.

It’s also no secret that the health-care industry was slower to move to digital records, and many organizations made the switch only in recent years so are still getting up to speed with security technology.

Another fact that puts health-care organizations at risk is that vulnerable medical devices are running outdated operation systems. So, health-care records hold the most value on the black market, and when breached, they cost hospitals, clinics, and solo practices the most in dollars and lost business.

And then there is compliance with the Health Insurance Portability and Accountability Act (HIPAA), with fines starting at $100 and going up to $1.5 million for each violation. Already in 2016, HIPAA has reached settlements totaling $8.4 million, exceeding any other prior year. There have been three prison sentences for HIPAA violations, and medical licenses have been revoked. Plus failing another audit, such as Meaningful Use, can lead to an OCR (Office for Civil Rights) audit.

“It’s accelerating,” stated Bill Ho, CEO of Biscom (a provider of secure document delivery solutions), in a CNBC article posted in August. “We’ve definitely seen more [fines] recently, [with] the Office of Civil Rights coming out and saying, ‘You’re in Violation.’” He added, “The OCR is starting to play hardball.” Do IT security and data breaches have your attention yet?

HOME SECURITY: AN ANALOGY FOR DATA PROTECTION

Are you doing what you can to protect your house? Your home security efforts can illustrate how to address the challenge in business. For instance, are you locking your doors with quality deadbolts? Do you have a video monitoring system that records who comes and goes? Are alarms triggered when a break-in occurs? Who in your house has access to the security codes and family jewels, and who knows where the jewels are hidden?

The house analogy is useful for thinking about the steps needed to protect your business from a data breach and how to keep it running after a disaster occurs— which would be any time crucial data or mission-critical software couldn’t be accessed.

The single most important step a hospital, clinic, or solo office can do is decide to prepare for a breach.Smaller clinics and solo practices often think,“It can’t happen to me.” They assume that protecting their “house” is too expensive, and doing so wouldn’t make a difference anyway.They decide to take a chance, and if a breach comes,they will just react to it. Sadly, it’s only a matter of time before they’re hit.

A wiser approach is to be proactive and seek to understand the scale of potential problems. Take precautions, not only concerning who gets into the home, but also how to detect a breach. Teach the family (partners and staff) what to do to both prepare (create a plan beforehand) and prevent/detect future break-ins. Monitor the house and security-control upgrades. Be active in the neighborhood (network with peers) and keep evolving.

One of the first questions an IT security professional might ask is how old your IT system is and if you are maintaining it. Updating hardware and software is a cost of doing business, yet many healthcare businesses are still running outdated servers and software. Do any physicians or staff members still use pagers or old flip phones? Some practices still limp along with Windows NT, which officially went out of support in 2006. That means more exposure and an increased risk of being hacked or catching malware or computer viruses.

In addition to having outdated operating systems, another potential problem is having medical scanning equipment that holds large images on outdated hard drives. Without active backups and security, this data can also be at risk.

But that’s not the only way bad actors compromise your systems.The two most prevalent methods these days are Advanced Persistent Threats (APTs) and ransomware. APTs are highly sophisticated and bypass virtually all cybersecurity “best practices” to maintain a compromised network presence.They are stealthy, targeted, and aim to monetize by observing behavior to maximize attacks on specific data.Ransomware, on the other hand, does not care what data it encrypts. Its sole purpose is to encrypt as much data and as many systems as quickly as possible across the network and anything it can penetrate.Thus,it acts swiftly to lock down all possible data. Medical facilities are targeted because of their need to continue to serve their patients.

SO WHAT CAN BE DONE?

Any retail store runs the risk of shoplifters stealing items. But when shoplifters enter a store, they typically act like normal customers. It’s only when they perform some kind of behavior, such as concealing unpaid items and attempting to leave, that their behavior can be detected—and action must be taken to catch them before they leave the premises.

The same goes for cybersecurity. First, business risks (what is the critical data, and what would happen if this data were compromised?) must be determined forthe medical clinic/practice/facility. A layered approach for protection, plus the ability to detect anomalies once they enter the network, are critical steps.Second, the vulnerabilities (bad behavior, such as poor documentation) to those risks must be identified. And third, these vulnerabilities must be mitigated automatically to reduce the risk to the medical practice.

The same approach applies when attempting to detect the APT or malware behavior—once it acts like a shoplifter—and to catch it before it departs with data or infects your systems. It’s important to note that this is not a common-sense “Let’s catch all the vulnerabilities out there” approach. Instead, it is a targeted means of reducing the risk for your medical practice and protecting your data.

Data protection solutions are always evolving. Magnetic tape technologies were the standard for a very long time.

However, challenges are inherent with these technologies. Both speed and reliability are outperformed by disk-based solutions, which are able to restore data more quickly, due to the ability to directly access the data without reading through an entire tape. Disk-based systems can be complex to manage, and the speed of today’s networks makes Disaster Recovery as a service an attractive solution for medical practices with very small IT departments. But the process of backing up and restoring data in disaster recovery situations has stayed the same over the years.

HIPAA: A GUIDE TO PROACTIVE STEPS

Guidance for the required minimal proactive steps needed to protect your business and patients,while remaining OCR compliant, can be found in the HIPAA regulations.The heart of HIPAA is all about having five plans, along with supporting procedures, backing up data, testing, and analysis. The five required plans include:

  1. Data Backup Plan (the second backup must be offsite and on US soil)
  2. Disaster Recovery Plan
  3. Emergency Mode Operation Plan
  4. Testing and Revision Procedures
  5. Applications and Data Criticality Analysis

To pick the best solution for the first plan (Data Backup), you must first know your data and then decide what’s most important. You must also determine your critical operations software applications.

Given that 70 percent of data is “inactive,” a critical question concerns how fast you’ll need the backed-up data (recovery time) and the time period that the backup should cover. Also consider what data you need first (patient records vs. scheduling vs. accounting) during a recovery to keep operations sustainable and what software applications need to be restored first, second, third, etc.

To understand the interaction of data and software, it’s important to create a Business Impact Analysis (BIA). This is where IT professionals come into your organization and interview employees, mapping the workflow of the data and software used, and indicating on which hardware it is displayed.

Key business roles within the organization must be included. Representatives for tese roles attend a workshop to review the findings and validate accuracy.

The next step is to determine risk tolerance. What data is most at risk? What is your tolerance level for data and operations risk? You could apply a risk scale of one to 10 (one being the safest) to data and processes. For example, the BIA might find that the executive team’s risk tolerance is a four, but they are operating at a seven. You must close this gap through risk mitigation techniques or reassessing the acceptable risk. Effective data backup/recovery (and security, for that matter) are based on defining the acceptable business risk.

From there, after you understand which solutions are to be used for backups, you create the Disaster Recovery (DR) plan. The basics of a data-breach plan for any sized health-care operation include:

  • Disaster Recovery Planning stage
  • DR Solution choice
  • Implementation of DR solution (training)
  • Testing of DR solution
  • Sustainment mode

It’s sobering to recognize that data breaches, either accidental or covert, willnever be completely eliminated, and there are no technologies or best practices that can guarantee 100 percent protection. Still, when you seek professional security help and prepare for a breach, you stand the best chance of protecting your business and your patients. 

References

1 “Colorado Allergy Clinic Reports Ransomware Attack,”
HIPAA Journal, July 6, 2016, accessed September 2,
2016, http://www.hipaajournal.com/colorado-allergyclinic-
reports-ransomware-attack-3493.

Bryce Matsuoka, CEO/President of AboveCloud, has more than 25 years of technology consulting and corporate experience in health care, finance, retail, and other industries. The AboveCloud team helps health-care practices simplify HIPAA compliance to become audit ready, protect data from cybercrime, and proactively manage information technology.