Photo Credit: https://www.csoonline.com/article/3261093/ransomware-healthcare-and-incident-response-lessons-from-the-allscripts-attack.html (last visited Aug. 15, 2020).
Written By: Mitchell J. Surface
Online Editor, American Journal of Trial Advocacy
Ransomware is the “fastest growing malware threat.”[1] In 2019, it generated $7.5 billion in attacks against businesses.[2] Ransomware “refers to a type of malware [malicious software] used by attackers that first encrypts files and then attempts to extort money in return for the [decryption] key to unlock the files by demanding a ‘ransom.’”[3] In addition, hackers use ransomware to destroy or exfiltrate[4] data as well as use it in conjunction with other malware.[5] This can cause devastating effects on a healthcare institution that does not have adequate disaster recovery and backup plans, which is often the case.[6] As such, this leaves the business no other option than to pay the ransom. The ransoms are paid using bitcoins, which are an “unregulated cryptocurrency” that is irreversible and keeps the identity of hackers anonymous.[7] According to the United States Health and Human Services, “on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).”[8] However, there are effective prevention and response actions that can help to significantly mitigate the risks associated with these attacks.[9]
In 2016, healthcare institutions began being primary targets for ransomware.[10] There are two reasons for this: (1) all electronic personal health information (“ePHI”)[11] and (2) “the security holes in information technology (IT) systems.”[12] In 2019, the healthcare industry saw a 350% increase in ransomware attacks on healthcare entities.[13] This includes the vulnerabilities that arise with confidential health information being stored on wireless mobile apps and connected medical devices.[14] Ransomware is a top cyber threat facing healthcare organizations as well as Business Associates (“BA”).[15] In 2016, researchers from the Poneman Institute found that “many healthcare organizations and their [BAs] are negligent in handling patient information.”[16] A significant percentage of this arises from external threats, but the study also found that internal threats, such as mistakes, are prevalent—finding that 36% of healthcare organizations and 55% of BAs fell victim to breaches as a result of unintentional employee action.[17] Many victims of ransomware admit their lack of vigilance in not investing in adequate technology, failing to hire enough skilled IT security staff, and simply not providing the organization with a sufficient security budget to curtail or minimize breaches.[18] Unfortunately, healthcare institutions are failing on all fronts when it comes to these attacks.
The exposure of a healthcare entity is exponential, especially when it comes to the integrity of patients’ medical records and medical technology.[19] A ransomware attack can cause a hospital and all of its facilities to cancel services including radiology, endocrinology, respiratory therapy, and others.[20] This can also result in transferring patients to hospitals thousands of miles away, depending on the size of the hospital and the capacities of nearby hospitals.[21] These types of attacks have been devastating to the medical community, “causing some to turn away patients and others to close their doors permanently.”[22] According to the American Medical Association, 72% of medical entities are smaller sized healthcare entities—with ten or fewer physicians—also making them most vulnerable because they “generally don’t have the resources for robust security tools and might not have dedicated cybersecurity specialists to monitor and patch their systems.”[23] When it comes to email security, “over 75% [of hospitals] do not use email scanning and filtering tools.”[24] Health practitioners and physicians alike are even less likely to use the most basic forms of email authentication that prevent suspicious emails.[25] Research by Corvus found that healthcare institutions using these services had a “33% reduction in the likelihood of a ransomware attack.”[26] The reason email security is so important in healthcare is because “91% of ransomware attacks are the result of phishing exploits . . .” through disguised emails.[27] Another issue surrounding hospitals is that they are six times more likely to host its server internally. This means that the responsibility of keeping up with the growing demand of ever-evolving threats is not transferred to a prepared third-party, but rather this responsibility is left solely to the healthcare entity itself.
There are “four risk categories associated with ransomware attacks: (1) medical malpractice, (2) data privacy, (3) reputation, and (4) cost and expenses issues.”[28] First, medical malpractice could result from a ransomware attack shutting down breathing machines or causing medication errors to patients. If patient care can be impacted or a patient is harmed as a result of an attack, the healthcare entity could be held responsible. The second threat is patient data privacy loss under the HIPAA Security Rule, which is discussed below. A proper contingency plan to rapidly respond to a breach is important to ensure the integrity and quality of the private patient data. Third, ransomware attacks heighten both the risk of loss as to a hospital’s reputation and its future business. A 2016 Poneman study found businesses victim to ransomware attacks averaged over $3 million in losses related to reputation loss and 24% of companies were concerned its reputation would diminish as a result of a ransomware attack.[29] The fourth and final risk, cost and expense losses, can be exponential—“[t]he average cost per record spent in the healthcare industry in 2014 was $355, which was a substantial amount for a large or small hospital to pay per record.”[30] Other costs may include paying $8 to $40 per person for credit monitoring of those patients who were affected.
A way for a healthcare entity to protect itself is by first conducting an annual audit of its cybersecurity risk management program.[31] Next, there must be behavioral-based safeguards in place that “assume the system will get infiltrated, no matter how much employee training the organization conducts and how many encrypting devices it installs.”[32] For example, one of the most prevalent phishing emails is one that will read, “Please confirm your password.”[33] In addition, all accounts within the healthcare organization should require multi-factor authentication to prevent passwords from being valid if compromised. In the event of a breach, the organization should have a point person and response team with clear-cut responsibilities for a rapid ransomware response. As ransomware becomes more sophisticated, it is imperative to respond efficiently and effectively.
Under HIPAA, a healthcare entity—i.e., a covered entity (“CE”) or BA—must implement “security measures that can help prevent the introduction of malware, including ransomware.”[34] Some of the required security measures may include the following: (1) identifying risks and putting procedures in place to mitigate those risks; (2) “implement procedures to guard against and detect malicious software . . .;” (3) training users on malicious software protection; and (4) “implementing access controls to limit access to [ePHI] to only those persons or software programs requiring access . . . .”[35] Under the Security Rule, healthcare entities shall conduct a risk analysis “of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI the entities create, receive, maintain, or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level.”[36] Essentially, the Security Rule establishes only the floor for the security of ePHI and additional standards are strongly encouraged and looked at favorably in the event of a breach.
The direct result of ransomware is revoked access to data; thus, to prevent this violation, there must be an adequate contingency plan, which, among other things, puts backups in place that are not connected to the compromised network. “[M]any studies have suggested a 3-2-1 approach to backup: have at least 3 copies of the data, utilize two different media formats, and have one of the copies be offsite.” [37] However, there are issues with this approach. First, the physical offsite copy will never be fully up-to-date. Second, the hackers will eventually figure out how to hack the cloud and other media formats as well. While this approach has its potential flaws, the Security Rule requires procedures to at least try to mitigate against a breach. Thus, all healthcare entities must ensure that ePHI, its network, and all medical devices are protected on the front end through the use of encryption in accordance with HHS guidance and have an additional contingency plan to deal with a breach in the event it occurs, or, more appropriately, when a breach occurs.
There are more ransomware attacks each year that cost the U.S. healthcare system millions of dollars. Therefore, healthcare entities must be proactive in developing an adequately encrypted network as well as a contingency plan. This proactivity will not only decrease the cost of a breach, but it will also mitigate liability under the HIPAA Security Rules. Most importantly, these precautions will protect and save innocent lives.
[1] U.S. Dept. of Justice, How to Protect Your Networks from Ransomware, at 2, U.S. Gov’t Interagency Guidance Document, https://www.justice.gov/criminal-ccips/file/872771/download.
[2] Patrick Howell O’Neill, Ransomware may have cost the US more than $7.5 billion in 2019, MIT Technology Review, (Jan. 2, 2020), https://www.technologyreview.com/2020/01/02/131035/ransomware-may-have-cost-the-us-more-than-75-billion-in-2019/.
[3] David P. Paul et al., Healthcare Facilities: Another Target for Ransomware Attacks. Presented at the 54th Annual MBAA Conference, Marshall University, (April 2018), https://mds.marshall.edu/cgi/viewcontent.cgi?article=1194&context=mgmt_faculty. See also Connor McLarren, Once More Unto the Breach: How the Growing Threat of Ransomware Affects Hipaa Compliance for Covered Entities, 15 Ind. Health L. Rev. 305, 306 (2018) (Westlaw) (“[Ransomware in the healthcare field is defined as] malware that is designed to lock hospitals out of their patient records while the responsible party issues a ransom to the hospital with a simple ultimatum: pay up or permanently lose access to all of its patient information”).
[4] Nat’l Institute of Standards and Technology, Security and Privacy Controls for Federal Information Systems and Organizations, U.S. Dept. of Commerce, NIST SP 800-53, Rev. 4, at B-7, (April 2013), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, (“[Exfiltration is t]he unauthorized transfer of information from an information system”).
[5] 2016 FACT SHEET: Ransomware and HIPAA, U.S. Dept. of Health and Human Services, https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
[6] Paul, supra note 3.
[7] Id.
[8] 2016 Fact Sheet, supra note 5.
[9] U.S. Dept. of Justice, supra note 1.
[10] Paul, supra note 3.
[11] Throughout this paper the following words will be used interchangeably to mean electronic personal health information (“ePHI”): PHI, health information, patient health information, patient information, health records, and medical records.
[12] Paul, supra note 3.
[13] Security Report: Health Care – Hospitals, Providers and more, Corvus Insurance, at 1, https://info.corvusinsurance.com/hubfs/Security%20Report%202.2%20-%20Health%20Care%20.pdf.
[14] Ponemon Institute, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, at 2, Ponemon Institute Research Report, https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%20%26%20Data%20Security%20Report%20FINAL%206.pdf.
[15] Security Report, supra note 13(“The rise of ransomware has been the most significant trend in cybersecurity in [2019]”).
[16] Ponemon Institute, supra note 14.
[17] Id.
[18] Id.
[19] Security Report, supra note 13.
[20] Adam Janofsky, Smaller Medical Providers Get Burned by Ransomware, Wall St. J., (Oct. 2019), https://www.wsj.com/articles/smaller-medical-providers-get-burned-by-ransomware-11570366801.
[21] Id.
[22] Id.
[23] Id.
[24] Security Report, supra note 13, at 2.
[25] Id.
[26] Id.
[27] Id.
[28] Paul, supra note 3.
[29] Id.
[30] Id.
[31] Barry Mathis, What Health Care Response Teams Need to Know About Ransomware, ahla weekly, (Feb. 21, 2020), https://www.healthlawyers.org/News/Health Lawyers Weekly/Pages/2020/February 2020/February 21 2020/What-Health-Care-Response-Teams-Need-to-Know-About-Ransomware.aspx?utm_campaign=Weekly%20eNewsletters&utm_source=hs_automation&utm_medium=email&utm_content=83709655&_hsenc=p2ANqtz-_LNwYcL2RC-dfWYiSXV7Lt5U01foUKd4hT2BVJbGX5JG0Ahs58RtvxutOPHttR-jD_O–1ZTpbk3xUdWc1iRWcPUiv-A&_hsmi=83709655.
[32] Id.
[33] Id.
[34] 2016 Fact Sheet, supra note 5, at 2. See 45 C.F.R. § 164.308(a)(1)(ii)(A) (Risk analysis); 45 C.F.R. § 164.308(a)(1)(ii)(A) (Risk Management); 45 C.F.R. §164.308(a)(1)(ii)(D) (Information system activity review); 45 C.F.R. §164.308(a)(5) (Security awareness and training); 45 C.F.R. §164.308(a)(6) (Security incident procedures); 45 C.F.R. §164.308(a)(7) (Contingency plan); 45 C.F.R. § 164.312(a)(1) (Effective access controls); 45 C.F.R. § 164.306(e) (Technology maintenance).
[35] 2016 Fact Sheet, supra note 5, at 1-2.
[36] Id. at 2.
[37] Id.
American Journal of Trial Advocacy 