According to a report created by a collaborative of federal agencies, an average of 4000 ransomware attacks have occurred every day since early 2016, up from 1000 daily in 2015. Thus far, the health care industry has been relatively unscathed by such attacks, but it is not hack-free.
In early January, Hancock Health in Greenfield, Indiana, paid nearly $50,000 to retrieve data infected with ransomware. According to news reports, hackers entered the system with a compromised vendor’s administrative account. Hancock paid the ransom and the hospital was back online in about 48 hours.
In 2016, Wichita’s Kansas Heart Hospital was attacked. After it paid the requested ransom, the offenders only partially decrypted the data and requested more money. The hospital refused to pay a second amount.
These are the best- and worst-case ransomware scenarios, and, according to some experts, are equally likely when an attack occurs. Because ransomware is so new to health care, providers are not well prepared. But simple HIPAA compliance and an understanding of the issue can go a long way in preventing and dealing with ransomware attacks.
Vulnerability to ransomware
Ransomware is a malicious software that gets into a system, allowing users to encrypt or extract a provider’s data. Hackers then request ransom to enable access to or return the information. The health care industry is fertile ground for ransomware because older infrastructure is prevalent and IT spending here tends to be lower than in other sectors.
Hackers typically infiltrate a system when a staffer clicks on a fake email or gets an administrative password, like at Hancock. And while no IT solution can prevent every attack, HIPAA’s risk analysis can go a long way toward identifying electronic protected health information threats and vulnerabilities.
“Health care providers need to consider if they have implemented appropriate policies and procedures or infrastructure to guard against attacks,” said Michael Bossenbroek, an experienced health care attorney. “If you have worked it into your compliance activities it goes a long way to mitigating a HIPAA violation if you were subject to an attack. It puts you in a different position than if you’ve never given it a second thought.”
How to respond
If a ransomware attack occurs it is important to contact the authorities. Often, the FBI gets involved. Providers have to connect with their IT department and the attack should be reported to the Office for Civil Rights at the US Department of Health and Human Services. Attorneys should be notified, and public relations professionals may need to be engaged to help with damage control. All of these contacts should be identified in advance so providers are not out shopping for an attorney during a crisis. Keith Barthold, CEO of DKBInnovative in Dallas, estimates that expenses associated with 1 ransomware attack can be as much as $750,000, outside costs are included.
“It’s important to surround yourself with the right advisors and council because there are a lot of decisions to be made,” he said.
Pay the ransom?
The major decision when ransomware hits is whether to pay the ransom. Bossenbroek said federal law enforcement organizations have made it clear they recommend not paying. “From their perspective, when you pay the ransom, there is no guarantee you will get the data back,” he said. “Also, the provider can then be marked as an entity that will pay, possibly creating an incentive to hit them in the future if they are willing to play ball and pay a ransom.”
Negotiations are being held with a criminal and the provider has no leverage. Hancock, Barthold said, probably assumed there was little risk paying $50,000 to avoid the downtime.
“I would say it was probably the right move,” he said. “Worst-case scenario is they lose the money and go back to plan B. If a hospital decides they need to pay, they have to basically be willing to let it go and know they may not get any return.”
Is it avoidable?
There is no way to ensure a practice will never get hacked, but providers can employ measures to increase the likelihood it will not happen or at least mitigate major damage if it occurs. First, staff need to be trained not to click on suspicious links or attachments in an email. Second, practices should review vendor access to computer systems. Even if business associate agreements are created, security controls need to be in place to enforce standards for each vendor’s access, which should be limited. Vendors often do not need an administrative account, Barthold said.
“Give access to only what they need and control those accounts including consistent password resets,” he said. “You have to trust but verify. If you are verifying best practices within your own organization, you should have some element of verification for your vendors to the extent that it could impact your infrastructure.”
There are 3 main areas of a risk assessment that pertain to ransomware issues, all of which can reduce the odds that a provider has to pay a ransom: backups, disaster recovery, and business continuity, Barthold said.
Hancock’s backups would have taken 3 weeks to fully recover, Barthold said. That time frame indicates that the company did not know in advance it would take that long, he said. He considers a normal time frame to be 24 hours for most organizations, preferably less for a critical care hospital. Some of his clients can access their data in 4 hours, but that’s a costly endeavor.
Backups should be on site for quick recovery and off site to avoid a hacker crawling into that system as well.
A business continuity plan should indicate how patients will be served and charting performed if the computer system is down. Kathy Downing, Vice President of Information Governance and Standards at the American Health Information Management Association in Chicago, said it is imperative to have a plan should internet and email be unusable. When she asks clients if they have paper forms and where they are located, many answer “on the network,” which is not a solution should the computer system go down.
She recommends having paper forms printed out and at the ready in a safe place. Providers also need to test their system and take it through the paces. What would happen if a computer system goes down? Would both the internet and intranet be unavailable? And if nothing is working, does a practice have a phone list to call patients.
Creating and testing a disaster recovery plan gives an idea of how records can be recovered and when mission critical systems would be usable.
“This should be tested, like a fire drill, to make sure systems and plans are working,” Barthold said.