August 15, 2016

We would like to say it isn’t so, but ransomware attacks haven’t tapered off; they’ve soared. So far in 2016, ransomware attacks have risen 300 percent since 2015 (from 1,000 to 4,000 attacks daily), according to a government report.¹ The healthcare sector—anesthesia providers included—is especially vulnerable.

More than half of hospitals responding to an April survey by the Health Information and Management Systems Society (HIMSS) and Healthcare IT News reported that they had been attacked by ransomware in the previous year. An additional 25 percent of hospitals said they were either unsure whether they had been attacked, or had no way of knowing.

When it comes to data security, healthcare still lags far behind other industries, including banking and high-reliability fields such as nuclear energy, power utilities and aviation. This susceptibility makes hospitals and practices prime targets for hackers. Personal health information is 50 times more valuable on the black market than financial information, according to the 2016 HIMSS Analytics “Healthcare IT Security and Risk Management” study, which includes findings from a survey of 100 health IT professionals.

It is important for anesthesia providers to keep in mind that medical devices, including anesthesia machines, drug infusion pumps and pacemakers, are also vulnerable to attack. According to an article in The Hill, “most medical devices are designed with open-source code that is easily hacked with malware.” Although most hackers are more interested in selling records on the dark web than disrupting the delivery of care, “it’s entirely within the power of hackers to ‘brick’ [disable] a needed medical device or shut down a hospital network, preventing doctors and nurses from providing care.”

Health care’s urgent need for stronger cybersecurity is also apparent in a recent survey of 927 healthcare professionals. Although more respondents reported having a Health Insurance Portability and Accountability Act (HIPAA) compliance plan in place in 2016 than in 2014 when the previous survey was conducted (70 percent versus 58 percent, respectively), the majority remain only “somewhat” confident that someone at their organization is managing HIPAA compliance, and only 40 percent report feeling “very” confident that a program is in place, the survey reports.

Keep it Private, Keep it Secure

The increase in incidents means anesthesia practices have even more reason to do everything they can to secure their electronic protected health information (ePHI). Our February 20, 2016 eAlert outlined strategies to help anesthesia providers guard against this burgeoning brand of cybercrime.

New guidance from the Health and Human Services Office of Civil Rights (OCR) issued on July 11 details how efforts to comply with HIPAA regulations regarding ePHI also can help prevent ransomware intrusion and support recovery if a ransomware attack occurs. The guidance also explains when an attack is and is not a security breach that must be reported.

Essentially, when ePHI is encrypted as the result of a ransomware attack, it is considered a “disclosure” and a violation of the HIPAA Privacy Rule because the information has been acquired by unauthorized individuals. The breach must be reported to the affected individuals, the Secretary of Health and Human Services and the media, unless the covered entity can show “low probability” that the ePHI has been compromised. (See below for more information on low probability.)

Following is a summary of the OCR guidance on HIPAA and ransomware.

Prevention

In keeping with the requirements of the HIPAA Security Rule, the guidance recommends the following steps to prevent a ransomware infection:

• Conduct a risk analysis to identify threats to ePHI and develop a plan to address identified vulnerabilities
• Implement procedures to guard against and detect malicious software
• Train users to identify and report malicious software early
• Limit access to ePHI only to people and software that require access
• Incorporate these procedures into all security measures enterprise-wide, not just those related to HIPAA

The Security Rule establishes only minimal requirements for protecting ePHI, OCR notes. The agency encourages entities to add more robust measures beyond these requirements to bolster security.

Recovery

To be well prepared to recover in the event of a ransomware attack, OCR recommends the following:

• Maintain frequent backups and ensure the ability to recover data from these backups. (A data backup plan is also a requirement of the HIPAA Security Rule.)
• Conduct periodic tests to verify the integrity of backed up data
• Consider maintaining backups offline in a location separate from the networks
• Develop—and periodically test—a contingency plan that includes procedures for disaster recovery, emergency operations and accounting for all applications and data. This contingency plan will allow you conduct “business as usual” while you simultaneously work to recover from the attack.

Warning Signs

OCR stresses the importance of training all users in spotting the warning signs of a ransomware attack. These include:

• A realization that a link clicked on, a file attachment opened or a website visited might have been malicious
• An increase in activity in the central processing unit of a computer for no apparent reason
• An inability to access certain files (as the ransomware encrypts data)
• Detection by the IT department of suspicious network communications between the ransomware and the attacker’s command and control servers

OCR also urges entities to develop solid security incident response and reporting procedures and processes that encompass detecting, containing, eradicating and recovering from ransomware and other malware. The presence of ransomware is a security incident that should trigger the entity’s response and reporting mechanism. These procedures should be designed to determine the scope of the incident, where it originated, whether it is finished or ongoing and the vulnerabilities that allowed the incident to occur.

Reporting

In addition to containing and eradicating the ransomware, correcting the identified vulnerabilities, restoring the lost data and returning to “business as usual,” followup activities should also include a deeper analysis to determine whether the incident must be reported as a security breach.

A ransomware attack that results in the encryption of ePHI constitutes an illegal disclosure and a breach under the Breach Notification Rule and must be reported, OCR states—unless the entity can demonstrate low probability that the data has been compromised.

To demonstrate low probability, covered entities must undertake a four-pronged risk analysis that assesses the nature and extent of ePHI involved, the unauthorized person who used the ePHI, whether the ePHI was actually viewed and the extent to which the risk has been mitigated.

A security incident response policy grounded in solid procedures and processes will help the organization identify the strain of malware involved and whether the strain will propagate or deposit hidden malicious software to achieve unauthorized access in the future. “An entity may be able to show mitigation of the impact of a ransomware attack affecting the integrity of PHI through the implementation of robust contingency plans including disaster recovery and data backup plans,” the guidance states. However, “integrity to PHI data is only one aspect when considering to what extent the risk to PHI has been mitigated. Additional aspects, including whether or not PHI has been exfiltrated, should also be considered.”

According to Kirk J. Nahra of Wiley Rein LLP in eHealth Law & Policy, “My sense is that the OCR’s analysis—if followed by companies—will lead to more of these attacks leading to notice than we might have thought previously. I’m not sure that’s the right policy result—what is the rationale for notice where data has been ‘held hostage’ but not otherwise misused?—but that is the OCR’s view of what is needed.”

Healthcare providers have a long way to go to give cybersecurity the attention it deserves, HIMSS Analytics reports. The 2016 HIMSS Analytics survey found that more than 80 percent of organizations spend less than six percent of their IT budgets on security, while more than 50 percent spend less than three percent. This contrasts with government and finance, which spend 16 and 12-15 percent, respectively.

“We can't be as secure as those industries because we're not spending the money,” says David Finn of Symantec, which co-authored the study. “Information and information technology were never really strategic to healthcare. We never thought of that data as being strategic and important.”

As health care struggles to catch up with other industries, cybercriminals are finding new weak spots to gain access. On August 3, Arizona-based Banner Health reported that hackers gained access to credit and debit card information for 3.7 million people through point-of-sale systems that process payment card data at food and beverage outlets serving the health system. The incident, which took place on June 17, was not found until July 7. Patient information and health plan records also may have been compromised. A Banner physician has filed a class-action lawsuit against the system, claiming Banner was negligent and allowed the breach to occur.

The key to preventing a ransomware or any other type of malware infection or virus is to build and maintain a strong boundary between the work and non-work computing environments, says Steve Williams, senior director of information technology with Anesthesia Business Consultants. ABC systems, for example, prevent general web surfing.

“We keep users on business sites only—our known ‘good lists.’ That’s because mixing business and pleasure is one of the quickest ways to become infected. If it isn’t real work, don’t do it. Don’t check your Facebook. Don’t check your personal email.” Williams also stresses the importance of ongoing user education. “You’re only as compliant as your least compliant user,” he says.

Conclusion

Compliance with the provisions of HIPAA can also help protect your practice against ransomware. Make cybersecurity the priority within your organization that it must be for all health care entities, including regular staff training and education in secure practices, and careful attention to proper planning, prevention and reporting.

With best wishes,

Tony Mira
President and CEO

¹United States Government Interagency Report, How to Protect Your Networks from Ransomware, https://www.justice.gov/criminal-ccips/file/872771/download, p. 2.