Rise of the Cyber Criminal in 2018: HIPAA Security Does Not Stop With Compliance

Reports of cyber attacks continue to be prevalent. However, healthcare providers may be unaware of a few important facts: 

1. Healthcare, as an industry, sees more data breaches than any other.¹
2. Criminal attacks are the leading cause of data breaches in healthcare. 
3. Data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost.²

Consider some high-profile cases in which cyber criminals have placed certain healthcare organizations in the news:

• Hollywood Presbyterian Medical Center in California was locked out of its own electronic health record (EHR) for one week and providers were forced to revert to pen and paper recordkeeping until the hospital finally was forced to pay a ransom set forth by hackers.
• Women’s Health Care Group of Pennsylvania, with 45 offices located throughout the state, notified its patients of a ransomware attack that affected approximately 300,000 people.  Hackers stole information such as names, addresses, date of birth, Social Security numbers, lab tests ordered and lab results, telephone numbers, gender identification, pregnancy status, medical record numbers, blood type records, race identification, employer information, insurance information, diagnosis status, and physicians’ names.³ While the breach was discovered this past May, company officials noted that the breach may have begun perhaps as early as January.
• Greenway Health, an EHR vendor based in Carrollton, GA, also experienced a ransomware attack impacting the records of 400 client organizations that were forced to revert to manual processing of health records while they worked to restore access to cloud-hosted systems.  

These are but a few examples of the growing threat to healthcare practices, including to wound care professionals. This article will explore the current cyber threat landscape and discuss ways in which providers can better address HIPAA compliance and protect their practices from cyber intrusions. 

DEFINING RANSOMWARE

What is ransomware exactly? It is a type of malicious software that attempts to deny access to a user’s own data by encrypting the data while allowing the hacker to hold the decryption (ie, unlocking) key until a ransom is paid. Users who are victims of this type of cyber attack will typically encounter a screen that gives them instructions on paying a ransom to retrieve their own data, often in a “cryptocurrency,” such as Bitcoin, that is not trackable. This method is uncomfortably common in healthcare settings: In one study by HIMSS (Healthcare Information and Management Systems Society), more than half of the hospital officials surveyed were hit with ransomware in the previous 12 months. Even more disturbing was that 25% of people reported they were unsure of whether they had been hit or did not even have the capability to find out.⁴ Another study found 70% of organizations said they had been victims of a cyber attack⁵ (and only 22% had prepared a plan for dealing with cyber attacks⁶).Further, it should be noted that a ransomware attack may go unnoticed for a period of time and may include the injection of other malicious software, such as a keystroke logger — the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that his/her actions are being monitored. This is why the U.S Department of Health & Human Services (HHS) claims a ransomware attack, the most prevalent type of cyber attack, is considered a breach under HIPAA regulations. Ransomware attacks may also trigger state-respective breach notification laws.  

So, what can healthcare providers do to protect themselves and their patients? HIPAA compliance can go a long way in helping protect (ie, fight) against ransomware and other threats to protected health information (PHI). Some HIPAA requirements that can specifically assist in thwarting cyber attacks include:

1. Install Anti-Malicious Software Updates and Security Patches Regularly [45 Code of Federal Regulations (CFR) 164.308(a)(5)(ii)]: Antivirus software and software firewalls (and all software) should be installed, with regular patching and blocking occurring. Default logins and passwords should be removed from one’s information technology system, unnecessary services should be disabled, and ownership permissions should be set. For larger organizations, network vulnerability scans on systems containing or accessing electronic PHI (ePHI) should occur and intrusion-detection software should be considered.
2. Perform (and Re-perform) the Security Risk Assessment (SRA [45 CFR 164.308(a)(1)(ii)(A)]): All covered entities (CEs) and their business associates are required to conduct an accurate, thorough SRA,⁷ wherein potential risks to the confidentiality, integrity, and availability to ePHI are evaluated, as set forth by HIPAA’s security regulations. HIPAA policies and procedures are then crafted with specific risks and vulnerabilities in mind so that the CE can best protect data. HHS provides tools for the SRA, and it is recommended that the SRA be done according to standards set forth by the National Institute for Standards and Technology.⁸ The SRA should be done at least annually, and updated whenever a breach occurs.   
3. Implement a Remediation Plan [45 CFR 164.308(a)(1)(ii)(B)]: The remediation plan grows out of the SRA and identifies the highest-risk items in one’s organization. Set deadlines to complete these items and assign individuals, as necessary, to ensure tasks are completed.  
4. Save Security Incident Response and Reporting [45 CFR 164.308(a)(6)(ii)]. What is the CE’s course of action and plan to mitigate the damage of a cyber attack? For ransomware, it is recommended that the CE immediately disconnect Wi-Fi and unplug the affected computer from the network. Be sure to document any responses to any security incidents.
5. Have a Workable Contingency Plan [45 CFR 164.308(a)(7)(i)] in place to respond to the emergency of ransomware: This typically will mean having a way to operate via a backup system or using paper records while the EHR system is restored.
6. Have a Data Backup Plan [45 CFR 164.308(a)(7)(ii)(A)]: Be sure to back up the system with sufficient redundancies (ie, so that the CE has sufficient backups to find a “clean” backup that will not be infected by the ransomware, so that the CE can create retrievable, exact copies of ePHI in the event of an emergency, such as a ransomware attack.) Backups should be kept off premises (or be cloud-based). Know the critical data that will need to be restored quickly to remain operational.
7. Test and Revise Procedures [45 CFR 164.308(a)(7)(ii)(D)]: Be sure to test any revision procedures to understand how they work. Each workforce member should understand his/her role in the plan in the event that one’s system goes down. Policies and procedures should be revised as needed.
8. Provide Workforce With Security Awareness Training [45 CFR 164.308(a)(5)]: Ransomware threat vectors exploit the human element — every practice needs a training program that ensures everyone with access to ePHI is trained in ways to reduce the risk of improper access, use, and disclosure of ePHI. This includes information on various forms of phishing and other cyber risks that may be encountered. Most ransomware gets installed by an unsuspected user clicking on phishing bait in an email. (Be sure to keep training logs and materials for the required six years). Members of the workforce should know what to do if a malicious event occurs.
9. Manage Passwords [45 CFR 164.308(a)(5)(ii)(D)]: Be sure that staff members are not sharing passwords and have policies and procedures in place for creating, changing, and safeguarding passwords. Users should know how to create and safeguard a secure password. Password sharing, writing down of passwords, and passwords that could be easily known to others should be prohibited. 

The good news is that the guidelines mentioned within this article should already be part of an existing HIPAA compliance plan. The challenge is that threats can change, and it is important to regularly update the SRA to reflect attention to these threats. A noticeable pattern of fines levied for HIPAA violations by the HHS’ Office for Civil Rights has occurred. The pattern is that if the CE is HIPAA compliant, then fines are not imposed (or are relatively small). However, if the CE ignores the regulations, “willful neglect” is assumed and brings with it mandatory, higher fines. Those who have chosen to ignore HIPAA pay dearly. The threat landscape to ePHI will continue to evolve: having strong HIPAA compliance will go a long way in protecting both the CE and the patients from lurking cyber criminals. 

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and is a member of AHIMA’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindell@carosh.com. Lorna L. Hecker is executive vice president and director of education and training at Carosh. She also runs the company’s professional practice in behavioral health and holds CHPS certification (certified in healthcare privacy and security) through the American Health Information Management Association. A frequent speaker on HIPAA topics unique to behavioral health practices, she is professor emerita of behavioral sciences at Purdue University Northwest, where she sat on the faculty of the marriage and family therapy master’s program. The author and/or editor of multiple mental health-related books, her most recent publication is HIPAA Demystified:  HIPAA Compliance for Mental Health Professionals (Loger Press).

References

1. von Ogden J. Five Industries in Greatest Danger of Data Breach. 2017. Accessed online: www.cimcor.com/blog/five-industries-in-greatest-danger-of-a-data-breach 

2. Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. Ponemon Institute. 2016.  Accessed online: www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1

3. Notice of Security Breach Incident. Women’s Health Care Group of Pennsylvania. 2017. Accessed online: www.whcgpa.com/notice-of-security-breach-incident.html

4. Sullivan T.  More Than Half of Hospitals Hit With Ransomware in Last 12 Months. HealthcareITNews. 2016. Accessed online: www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months  

5. Laberis B. 20 Eye-Opening Cybercrime Statistics. SecurityIntelligence. 2016. Accessed online: https://securityintelligence.com/20-eye-opening-cybercrime-statistics

6. Healthcare Industry Accounts for 88% of Ransomware Attacks. HIPAA Journal. 2016. Accessed online: www.hipaajournal.com/healthcare-industry-accounts-88-ransomware-attacks-3519

7. Shindell R, Hecker LL. HIPAA privacy & security: conducting your HIPAA-required security risk assessment. TWC. 2017;11(11):25-6.

8. Joint Task Force Transformation Initiative. Guide for Conducting Risk Assessments. CSRS. 2012. Accessed online: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final