Ransomware & HIPAA: Detailed Q&A

We've received numerous questions about how ransomware threats affect HIPAA compliance, so I decided to answer them all here in a single Q&A post. Let's dive in.

Q1: I’ve been hearing a lot about ransomware attacks in healthcare. It seems to be all over the news, all the time. And I heard that the Office for Civil Rights just published guidance on ransomware, too. So what is a ransomware attack?

Ransomware attacks are a form of attack in which malicious code is inserted into an organization's network. It applies changes that are used to deny access to the organization’s data. In most schemes, the data is held hostage until a ransom is paid. Ransomware attacks are different from old-fashioned data theft schemes in that they can severely hamper an organization's operational capabilities. In one recent attack, Medstar Health in Maryland had to turn away patients because the attack crippled their ability to operate.

Q2: Who has been attacked?

The first high-profile attack happened in February at Hollywood Presbyterian Hospital. Hollywood Presbyterian lost access to its network for 10 days and, in the end, decided to pay 40 bitcoin (about $17,000) to have its data released to restore operations.

In addition to the Medstar attack, ransomware attacks have been reported in the past few months at:

• Kings’ Daughter Health System in Indiana
• Methodist Hospital in Henderson, Kentucky
• Regional Medical Center in Mount Pleasant, Texas

In addition, three hospitals in Southern California owned or managed by Prime Healthcare Management, Inc. have reported attacks:

• Chino Valley Medical Center
• Desert Valley Hospital
• Alvarado Hospital Medical Center

Ransomware attacks are also occurring in physician and dental practices across the country.

Q3: How are these attacks “delivered”?

In information security, the method for which a security threat is deployed is called the “threat vector.” There are three primary threat vectors for ransomware. They are used alone or in combination:

1. Exploit Kits – software that exploits known vulnerabilities in systems. This could include unpatched software such as adobe reader, out of date operating systems like Windows XP or default open ports on computers running particular software such as Port 3389 on Windows computers used for Remote Desktop Protocol.
2. Malvertising – the use of malicious website advertising such as banner ads to inject malware onto a computer. These attacks can be especially insidious because the ads may be present on perfectly legitimate websites. 
3. Phishing - the use of a bogus website or email, made to look authentic, to compromise sensitive information or security. With ransomware, the email or website injects malicious code onto the user's computer with infected hyperlinks. Spear-phishing, a variant of a phishing email attack, is more targeted and might include specifics that make an email seem more genuine such as a reference to a company picnic or other data a hacker might find on social media sites. 

Q4: What happens once malicious code has made its way into the computer? 

Typically, the malware scans file extensions and programs to identify specific data. Certain programs are ignored, such as Windows System files, which are needed to operate the computer. Other files, based on file type and location, are encrypted. After the files have been encrypted, the software typically leaves a notification for the user with instructions on how to pay the ransom. Here is an example of Locky, a very successful exploit used for ransomware.

Q5: What can I do to prevent an attack? What can healthcare organizations do?

Implement an effective data backup and disaster recovery plan. In fact, the HIPAA Rules require you to have these in place (under the contingency plan standard (§164.308(a)(7)(i)). The data backup and disaster recovery plan should ensure that: 

• All important and sensitive data is located, identified and backed up. 
• The frequency of the backup (mirrored or clustered, hourly, daily, etc.) is sufficient for the organization and should include whether backups are full or incremental.
• Recovery time objectives (the amount of time required to recover from backup) are defined, sufficient and realistic with available resources. Everything should be written down and documented so it is easy to reproduce and follow.
• The procedure logically and physically separates and isolates the backup data from the operational network^i.
• Procedures isolate and eliminate any malware that may exist on backups prior to their execution and be accessible from a location unaffected by an attack. 
• They are tested periodically with clearly defined procedures. 

Q6: What are my options if I am targeted for a ransomware attack and my system is inaccessible? 

You have three options: 

1. You can restore your systems from your backup using your disaster recovery procedures (see above). 
2. You can pay the ransom and have your data released back to you. 
3. Accept the loss of your data and start over. For health care organizations, this would rarely, if ever, be an option. HIPAA security rules require you to protect and ensure the “availability” of PHI. 

Q7: Given the availability of these three options along with the HIPAA requirement for a Disaster Recovery plan, what can we surmise about organizations, such as Hollywood Presbyterian, that had to opt for option #2 above? 

That their backup and recovery plans and procedures were unfortunately insufficient or non-existent. 

Q8: Is there any concern that the hackers won’t release my data if I pay a ransom? 

Sure, but it’s an unlikely scenario. Criminal organizations rely on reputation just like legitimate companies do.ⁱⁱ If a criminal enterprise gains a poor reputation for not unlocking data, “customers” i.e. victims, will refuse to pay. Surprisingly, these organizations have back-office functions that look like normal service businesses with customer service representatives, technical support, etc. For an interesting look at the ransomware business, listen to this Radiolab podcast from last year. 

Q9: Is there reason to believe that hackers are intentionally targeting healthcare organizations? 

Yes, absolutely. Healthcare organizations are perfect targets. Healthcare organizations, especially hospitals, are extremely dependent on their information systems to take care of patients. In addition, restoring systems from backups (if the procedures are insufficient) may take more time than many hospitals are willing to take. Other businesses might be able or willing to wait longer or even start over rather than giving in to an extortion racket. 

Q10: Who are behind these attacks? 

Mostly eastern European criminal enterprises. Although there is no way to verify it, a Turkish hacking group claimed responsibility for the Hollywood Presbyterian hack and declared their motive to be both protest and profit. In a post on Pastebin entitled “We pwned Hollywood hospital,”ⁱⁱⁱ the group (confusingly) wrote: 

“So thanks to feebleness of weak-wiled Americans We became richer and earned $17k! If you read this message you must understand that Turkey is the great cyber-power whose might you have witnessed! If Washington keeps on supporting Kurdish terrorists Turkish hackers will become richer!” 

Q11: What can we do to help prevent these attacks? 

Here are some common-sense guidelines to follow: 

• See backup guidance above. 
• Conduct a risk analysis and penetration test of your organization's security. It’s a HIPAA requirement. Determining the risks that may exist on your network is an essential component of meeting that requirement. Click here for a more thorough Q&A on Penetration Testing and Vulnerability scanning.
• Use a good email filtering program^iv or configure your email server, usually Microsoft exchange, with policies that filter and block certain potentially dangerous file types such as .exe, .swf and others. You can find a good list of file types to avoid here. 
• Use a good web-content filter to detect and block access to malicious websites.^v For enterprises, the solution may be as simple as purchasing or upgrading your routers and subscribing to web-blocking service. 
• Follow guidelines for hardening^vi the perimeter of your network. Most network infrastructure manufacturers have published guidelines and procedures for configuring hardware to maximize security consistent with the needs of the organization. In addition, the NIST maintains a library of recommended configuration settings or checklists for many systems. 
• Keep your computers and software patched. Malware tends to attack outdated versions of software, as they’re the easiest to exploit. 
• If you use active directory, utilize group policies to limit employee’s ability to download and run applications. If at all possible, downgrade users to “standard” as opposed to “local administrators” and set group policies to limit potentially dangerous activities that are allowed. 
• Lastly, train your employees to recognize malicious or suspicious software and emails. General training is fine but focused training around this type of threat, such as that provided by knowbe4 can be extremely beneficial. 

Here are a couple of other resources I recommend: 

• This document is a straightforward guide to this new world of ransomware that explains the threat in a clear and comprehensive way and also recommends some steps you can take to keep from becoming a victim. It even includes instructions on how to pay a hacker using Bitcoin if that is your only option. The checklists at the end are fantastic. 
• This document from the security vendor Talos, is a superb and even more in-depth and technical guide about the ransomware threat. 

Q12: Should I panic yet? 

No, but a healthy concern is warranted. These attacks are going to become much more sophisticated over time and an increasing amount of vigilance is needed. I believe that hackers will begin to exploit weaknesses that they discover in healthcare specific applications, like the major hospital vendors such as Cerner, Epic, McKesson, etc. In addition, patient portals will likely be targeted because of the outward facing nature of these applications. And I believe it’s only a matter of time before a major web-based or hosted EHR vendor is attacked and the data of all of its covered entity clients is affected. 

Q13: Is there any hope for things to get better instead of worse? 

Well, our prevention is getting a lot better as healthcare organizations become more informed. Prior to the concern about ransomware, many healthcare entities were willing to accept a certain risk of data loss or a breach and were often unwilling to acquire and spend the budgets needed for adequate security. The ransomware crisis is changing that. Because a ransomware attack can be so catastrophic, boards of directors and Senior Executives are approaching IT leadership and asking “are we spending enough.” The risk calculus is changing and budgets are increasing for information security, especially in enterprises. 

Q14: Can you recommend anyone for risk analysis or penetration testing? 

Absolutely, but I’ll be biased in my recommendation. Healthicity can conduct a risk analysis and penetration test of your network and I can confidently say that they’re the best. Their services are designed to identify threats and vulnerabilities to the ePHI you manage whether they are operational, physical or technical, including your current IT infrastructure, and make recommendations to mitigate risks to a reasonable and appropriate level.

If you are interested in learning more about our risk assessment and pen testing services, contact Healthicity today!

SOURCES
ⁱ In a recent note, FBI described concerns about a recent ransomware variant MSIL/Samas that attempts to locate and encrypt backups as well as the rest of the network.
ⁱⁱ The dark-web, black-market website Silk Road had Amazon-like vendor rating and customer feedback mechanisms. “Five stars for next day delivery of my illegally acquired oxycodone!”
ⁱⁱⁱ “pwned” is a term often used by gamers indicating domination and is derived from the word “owned”.
^iv This is not an endorsement but some products with a good reputation include Barracuda, ProofPoint and Office365.
^v Same as above. Some products to consider. Fortinet, Sophos and Forcepoint (formerly Websense).
^vi Hardening in the information security world means configuring devices in such a way so as to limit the opportunity for exploit through or in the device.