Your Files Have Been Encrypted: The Growing Threat of Ransomware

Recently, the popular TV show Grey’s Anatomy aired an episode where the hospital’s electronic health record was overtaken by ransomware. Patient health was jeopardized when providers could not access patients’ health information, and the facility stood in turmoil as hackers tried to exploit administration for a hefty ransom. Unfortunately, this was not just a Hollywood depiction; these events are happening daily as ransomware has been weaponized, and healthcare has become a very lucrative target for criminals. One of the first ransomware attacks actually occurred at Hollywood Presbyterian Medical Center in Los Angeles, which caused the hospital to remain offline for more than one week until officials caved to the ransom demands and paid the equivalent of $17,000 in Bitcoin.¹ Here’s a list of additional recent ransomware attacks in the United States: 

• Mount Pleasant, TX - Titus Regional Medical Center
• Hollywood, CA - Presbyterian Medical Center
• Los Angeles, CA - Los Angeles County Health Department
• Henderson, KY - Methodist Hospital Henderson County Campus
• Auburn, IN - DeKalb Health
• Wichita, KA - Kansas Heart Hospital
• Reston, VA - Professional Dermatology Care
• Los Angeles, CA - Keck Medicine of USC (University of Southern California)
• Greenbrae, CA - Marin Healthcare District; Prima Medical Group
• Washington, DC - MedStar Health

This is just a sampling of those who are facing threats. Recent ransomware has also included CryptoLocker, which targeted Microsoft Windows;² Locky, a Microsoft Word document sent via email;³
Cryptowall, which made its way through email, online advertising, and other malware;⁴ and Petya, a family of encrypting ransomware that targets Microsoft Windows-based systems.⁵ If you’re wondering what puts a particular practice at risk, unfortunately the biggest culprit is vulnerable employees who mistakenly install corrupt programs through “social engineering” (ie, spam, phishing, and baiting devices) utilized by criminals who trick members of one’s workforce into giving them access to data. About two-thirds of malware is installed via email attachment (ie, phishing).⁶ In its 2017 Data Vulnerability Report, INTERMEDIA surveyed 1,000 information technology (IT) employees and found that 25% of them admitted to being fooled by a phishing scam, that 31% were not familiar with ransomware, and that 30% of these office workers said they did not receive regular training on how to deal with cyber threats.⁷ 

TAKING ACTION AGAINST ATTACKS

Many of the precautions that healthcare providers can take for the protection of their businesses can be accomplished through regular HIPAA compliance activity. Let’s review what can be done to help thwart ransomware and other cyber crimes:  

1. Monitoring of privileged-user accounts. Privileged users are those individuals who have administrative access to critical systems. These credentials are the “holy grail” for hackers, as once they get access to these credentials they can control an entire system and have the ability to change system configurations, access secure data, and change user accounts. It is easier said than done due to the nature of one’s business, but administrators will want to limit privileged access to those who really need that access. 
2. “Patching” operating system, software, and firmware on digital devices. HIPAA requires installation of antimalicious software and security patches⁸ [45 Code of Federal Regulations (CFR) 164.308(a)(5)(ii)].⁹ Default logins and passwords should be removed from all IT systems, unnecessary services should be disabled, and ownership permissions should be set for all systems/devices. Larger organizations will want to conduct network-vulnerability scans on systems containing or accessing electronic protected health information (ePHI). Additionally, organizations should consider intrusion-detection software based on any risk/cost analysis for the size of the company. A centralized patch-management system should also be considered, and administrators will want to ensure that any antivirus and antimalware solution systems are set to update automatically.
3. Configuring access controls. HIPAA requires organizations to have specific access controls in place [45 CFR 164.312(a)(1)],¹⁰ including unique user identification and electronic procedures to terminate an electronic session after a predetermined amount of activity.  All file-, directory-, and network-sharing permissions should be configured appropriately.  
4. Maintaining a “clean” backup system. All data should be backed up regularly, and the integrity of backups should be verified regularly. As such, a “clean” backup minimizes the chances of data being infected by a ransomware attack, should one occur. Remember that ransomware and other malware can infect any system and remain dormant for months.¹¹ Backups should be kept off premises or be cloud-based. Again, having a backup system is a HIPAA requirement.⁹ Organizations will want to have a plan for critical data to be restorable quickly so that system operations are not impacted. Additionally, backup systems should not be connected to computers and networks that are being backed up so that contamination does not occur.  
5. Disabling “macros” from files transmitted over email. Macros are small programs within Microsoft Office that allow automation of repetitive tasks. According to the 2017 Internet Security Threat Report by Symantec,¹² Office macros have reemerged as a cyber threat. Office 2016 offers a feature that allows for the blocking of macros in high-risk situations. Another option is using Office Viewer software to open Office files transmitted via email, instead of using full Office suite applications.¹³
6. Training workforce on cyber security threats. HIPAA already requires this step as well [45 CFR 164.308(a)(5)]⁹ to reduce the risk of improper access, use, and disclosure of ePHI.  Employees (and management and volunteers) must be made aware of their critical roles in protecting an organization’s data. Additionally, all members of the workforce should know what to do if a ransomware attack occurs, and this instruction should be part of one’s HIPAA-required contingency plan.⁹ Employees should be taught to turn off their computers, disconnect from the network, remove any connected storage devices, and report the incident immediately.  

CONCLUSION

Ransomware will likely be a reportable breach under HIPAA. Healthcare organizations must be sure to keep their training materials and logs for HIPAA requirements for the previous six years.  Any response(s) to cyber threats should be part of the HIPAA-required contingency plan⁹ and plans for security incident response and reporting.⁹ The good news through all of this information is that solid HIPAA compliance goes a long way in combating cyber threats. A rigorous compliance program will include reviewing of threats and ensuring that the workforce is trained to combat them. It is recommended that all covered entities complete (and update annually) their security risk assessment and have an audit and monitoring program to review threats and vulnerabilities to ePHI. The monitoring of training and ensuring that the workforce is trained on HIPAA policies and procedures will allow for “good cyber hygiene,” should the dreaded ransomware message be received. 

Lorna L. Hecker is executive vice president and director of education and training at Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small-to-midsize practices and their business associates. She also runs the company’s professional practice in behavioral health and holds CHPS certification (certified in healthcare privacy and security) through the American Health Information Management Association. A frequent speaker on HIPAA topics unique to behavioral health practices, she is professor emerita of behavioral sciences at Purdue University Northwest, where she sat on the faculty of the marriage and family therapy master’s program. The author and/or editor of multiple mental health-related books, her most recent publication is HIPAA Demystified:  HIPAA Compliance for Mental Health Professionals (Loger Press). Roger Shindell is chief executive officer of Carosh. He is also chairman of the HIMSS Risk Assessment Work Group and is a member of AHIMA’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindell@carosh.com. 

References

1. Winton R.  Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times. Accessed online: www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

2. Goodin D. You’re infected — if you want to see your data again, pay us $300 in Bitcoins. arsTECHNICA.2013. Accessed online: https://arstechnica.com/information-technology/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins

3. Gallagher S. “Locky” crypto-ransomware rides in on malicious Word document macro. arsTECHNICA. 2016. Accessed online: https://arstechnica.com/information-technology/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro

4. Pauli D. Cryptowall 4.0: update makes world's worst ransomware worse still. The Register. 2015. Accessed online: www.theregister.co.uk/2015/11/09/cryptowall_40

5. Trafimchuk A. Decrypting the petya ransomware. Check Point. 2011. Accessed online: https://blog.checkpoint.com/2016/04/11/decrypting-the-petya-ransomware

6. 2017 Data Breach Investigations Report. Verizon. 2017. Accessed online: www.verizonenterprise.com/verizon-insights-lab/dbir/2017

7. What’s the biggest detriment to your organization’s data? INTERMEDIA. 2017. Accessed online: www.intermedia.net/report/datavulnerability2017

8. Patch and update computer software or face a HIPAA sanction. HIPAA Journal. 2014. Accessed online: www.hipaajournal.com/patch-update-computer-software-face-hipaa-sanction

9. 45 CFR 164.308 - Administrative safeguards. Legal Information Institute. Accessed online: www.law.cornell.edu/cfr/text/45/164.308

10. 45 CFR 164.312 - Technical safeguards. Legal Information Institute. Accessed online: www.law.cornell.edu/cfr/text/45/164.312

11. Ponemon institute releases new study on the efforts of retail companies and financial services to improve the time to detect and contain advanced threats. Ponemon Institute. 2015. Accessed online: www.ponemon.org/blog/ponemon-institute-releases-new-study-on-the-efforts-of-retail-companies-and-financial-services-to-improve-the-time-to-detect-and

12. Internet Security Threat Report Volume 22. Symantec. 2017. Accessed online: www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf

13. How to protect your networks from ransomware. U.S. Department of Justice. Accessed online: www.justice.gov/criminal-ccips/file/872771/download