As millions of online health records are making their way onto the black market, the US Department of Health and Human Services Office for Civil Rights has issued a guidance document that explains what ransomware is and how to stop it from taking hold of—and ransoming—sensitive data.
The July 11 document Ransomware and HIPAA instructs health care organizations to identify ransomware threats through risk analysis, establish plans and procedures to defend against those risks, improve training, limit access to patient’s electronic health information, and maintain an offline data backup. It also specifies that ransomware attacks that affect protected health information, such as electronic health records, are a breach of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA violations can carry fines totaling up to $1.5 million per year, depending on their severity, according to the American Medical Association.
If a HIPAA breach has occurred, then “the entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements,” the guidance declares.
Ransomware, a type of malware that encrypts and holds data hostage, is on the rise and increasing in its complexity. A 2016 federal interagency report on the topic called ransomware the “fastest-growing malware threat,” with an average of more than 4,000 attacks each day in 2016, a 300% increase from the year before.
Those attacks can be very profitable and are growing in their technical sophistication, says Axel Wirth, a distinguished technical architect at Symantec. “This is really a game of continually staying on top because the attack strategies change so fast,” says Wirth. “Whatever we discuss today and HHS advises in the guidance today may or may not be true tomorrow. If there’s money to be made, people will find a way to make money.”
“Published reports suggests that the current value is $20 to $60 per patient record on the black market, which can be used for extortion, identify theft, medical insurance theft,” he continues. “It contains your bank information, social security number, health insurance credentials, even your address, physical descriptors, or next of kin. Health data is much more comprehensive than what other industries hold about their customers and can be used for many more purposes.”
Although the potential loss of critical data can be devastating for health care organizations, Wirth does not recommend paying the ransom to regain control of locked files. Doing so encourages the practice, does not guarantee the release of the files, and could result in further attempts at extortion.
Ransomware attacks often begin when someone in an organization opens an infected email attachment, such as a Word document, or clicks on a web link that provides the attacker with access to the network. But insecure medical devices can also give provide a way in.
“Close attention is also needed to the medical devices on the hospital network, particularly those built on top of commercial operating systems, such as Windows, that might be out of date in terms of security patching,” says Ken Hoyme, distinguished scientist at Adventium Labs. “Depending on how they interact with the network, they could be entry points to the hospital network and used to pivot toward the systems containing the electronic personal health information.”
Because of the repercussions of allowing hackers to access electronic health records, healthcare delivery organizations are looking to healthcare technology manufacturers to bolster the security of their products. The newly released Association for the Advancement of Medical Instrumentation (AAMI) TIR57, Principles for medical device security?Risk management, provides medical device manufacturers with a framework to proactively address cybersecurity threats when developing medical devices. The standard has been well received, says Wil Vargas, director of standards at AAMI.
“This new OCR guidance is about what to do when once you’ve already been infected with a cold, in this case a ransom ware attack,” says Vargas. “TIR57 is the lifestyle choices that you make to prevent getting sick in the first place. If the security was built in, we’d have a lot less of these vulnerabilities to ransomware.”