Ransomware skyrocketed in 2016, with the FBI reporting an average of 4,000 ransomware attacks per day — a 300-percent increase since 2015. This has been especially bad news for healthcare organizations, which have been hit hard by this type of cyberattack that works quickly to encrypt files and then holds them hostage until a ransom is paid.
In February, one of the first widely reported hospital ransomware attacks targeted Hollywood Presbyterian Medical Center in California, forcing the hospital to pay roughly $17,000 in ransom and resort to pen-and-paper record keeping until their files could be restored. Since then, numerous hospitals and healthcare organizations around the country have faced similar attacks. For example, MedStar Health, which operates 10 facilities in the Baltimore-Washington region, was hit with ransomware, but it was able to recover without paying the ransom because it had backups in place for the encrypted information.
Targeting hospitals has been lucrative for the cybercriminals behind these attacks. In a recent article security expert Brian Krebs highlighted the impact ransomware has had on the healthcare field: “According to a new report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.”
In fact, a recent study shows that healthcare providers are 450 percent more likely to be hit by the type of ransomware known as CryptoWall than companies in other industries. According to the Ponemon Institute, ransomware, malware, and denial-of-service attacks are the top three cyber threats facing healthcare organizations in 2016, and criminal attacks are the leading cause of healthcare data breaches for the second year in a row.
Government gets serious about ransomware
Government authorities have started to respond to this growing trend. In March, the FBI issued a flash advisory about the MSIL/Samas.A strain of ransomware that was encrypting entire networks and seemed to be targeting healthcare organizations in particular. Then in July, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights released new HIPAA guidance on ransomware to help healthcare organizations understand and respond to this type of threats.
“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” Jocelyn Samuels, the director of the HHS Office for Civil Rights, wrote in a blog post about the new guidance.
New HIPAA guidance
One of the most important highlights from the new HHS fact sheet on ransomware and HIPAA is that a ransomware infection counts as a HIPAA breach.
The new guidance explains it this way: “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”
This means that when a ransomware attack occurs, the affected organization will need to meet HIPAA’s breach notification requirements, which in most cases includes filing a breach incident form with the HHS and notifying affected individuals — as well as the media if the breach affects more than 500 people.
One of our MSP partners strongly believes that customers need to have appropriate security and backup in place to protect against ransomware. In fact, any customer who declines this protection is asked to sign the quote as “declined,” and the MSP then keeps it on file in case something happens down the road.
How HIPAA compliance can help
The HIPAA ransomware fact sheet also outlines several ways the HIPAA Security Rule can help healthcare organizations prevent ransomware infections. These requirements include:
- Having a security management process in place that includes doing risk analysis to identify threats and putting security measures in place to mitigate those risks
- Following procedures to protect against and detect malware
- Training users on best practices for avoiding malware, as well as how to recognize and report it
- Using access controls to limit access to electronic protected health information
- Implementing an overall contingency plan that includes a data backup, disaster recovery, and emergency operations planning
- Conducting regular testing of contingency plans
- Having security incident procedures in place covering how to respond to and report security incidents like a ransomware attack
Education and prevention
All of these best practices are critical components of protecting SMB customers from the growing threat of ransomware, whether your MSP works with healthcare customers or not. Education in particular is especially important. Unlike other types of cyberattacks that look for system or network vulnerabilities, ransomware prays on people who are uninformed and unaware.
A number of factors make hospitals and other healthcare organizations attractive targets for ransomware attacks:
- Many are supporting older equipment that often runs on outdated operating systems
- The critical and timely nature of the information they need to access to care for patients
“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” Stu Sjouwerman, CEO of the security firm KnowBe4, said in an interview with Wired. He explained that another reason hospitals are a good target is because they focus more on training employees on HIPAA compliance for protecting patient privacy than on cybersecurity awareness.
So, the best thing you can do for your healthcare customers is make sure their employees know how to protect themselves from a ransomware attack by following cybersecurity best practices. The fact that security is now an important part of maintaining HIPAA compliance should be a good motivator for any customers that are reluctant to make it a priority.