Cyber Criminals Increase Damaging Attacks Against Healthcare Organizations
EXECUTIVE SUMMARY
Cyber criminals, seeking access to medical records or to lock files until receiving a ransom, continue attacking healthcare providers.
- Any ambulatory surgery center that uses electronic data is at risk.
- Common problems related to breaches are medical identity theft, stolen medical information, and ransomware.
- Organizations that pay the ransom compound the problem, encouraging more attacks.
Healthcare providers are cyber criminals’ low-hanging fruit. Patient records are valuable on the black market of the dark web. So are employment records and the latest scourge: ransomware.
Ambulatory surgery centers (ASCs) and any healthcare organization that relies on electronic data could be attacked. Any ASC that is subject to federal privacy regulations also is at risk for regulatory problems related to a security breach.
“Anybody that is a covered entity under HIPAA is at risk,” says Dan L. Dodson, president of Fortified Health Security in Franklin, TN.
“If your ASC has a breach impacting more than 500 medical records, you have to report it, and you can have big problems if there is no risk management program,” Dodson says.
Cyberattacks are going to be one of the biggest issues healthcare organizations face going forward, Dodson says.
“As there’s more publicity around this, it will drive more people to focus on healthcare,” he notes.
Experian’s 2017 Data Breach Industry Forecast says that healthcare organizations continue to be the most targeted sector for hackers. Problem areas include medical identity theft, stolen medical information, and ransomware.
“Ransomware is when they lock down your system and get you to pay ransom in response,” says F. Paul Greene, Esq., chair of the privacy and data security practice group at Harter Secrest & Emery in Rochester, NY.
Cyber Trends Change
A few years ago, cyberattackers focused on collecting credit card information. But the payment card industry tightened their controls, so cyber criminals shifted to collecting healthcare records, Greene explains.
“To make a comparison, on the dark web, a credit card number can go for pennies — less than a dollar,” he says. “A healthcare record sells for tens of dollars. The last statistic I’ve seen is that one [medical] record could cost $40 on the dark web.”
One appeal of healthcare records is that they often include Social Security numbers as a common identifier. “Many of our usernames had the last four digits of our Social Security number, and any part of your Social Security number can be dangerous if it’s leaked out there,” Greene says. “It can lead back to who you are and result in identity theft.”
Medical records contain a wealth of information for criminals. They can use records to open bank accounts, apply for credit cards, and to fraudulently bill Medicare and Medicaid, Dodson says.
Ransomware is one of the newer and more pernicious forms of attack. Typically, when someone in a surgery center or hospital opens an innocuous email and clicks a link, that opens the computer to an infection. The ransomware bug is designed to encrypt an electronic system’s data so that no one can view the information without a key. The attackers offer to sell the key to the victim for thousands of dollars. Many healthcare organizations will pay the fee because they can’t function without their data for long.
Organizations that lack a sufficient data back-up and recovery plan may not be able to restore systems quickly, and they have no choice but to pay the ransomware price, Dodson says.
“I also believe that when some folks are paying the ransoms, it will lead to more bad behavior,” he adds.
“You’d be surprised at the very sophisticated individuals who fall into a ransomware scheme,” Greene says. “They can pay bad guys to use their ransomware service and send out infected links to collect the ransom.”
The infected emails appear to be from a trusted source, and they’re typically well-written. The age of the Nigerian prince emails with multiple grammatical errors are over, he notes.
For instance, an attacker might discover through social media that someone attended a particular university. Then, the attacker will send an email that appears to originate from that university’s alumni association, asking the person to “click here” for reunion registration information, Greene explains.
“The reason why ransomware has exploded in healthcare is that healthcare really depends on immediate access to its electronic systems,” he says. “There has been a big push for electronic medical records.”
When a surgery center’s or hospital’s electronic systems are down, the healthcare organization is under tremendous pressure to fix the problem; therefore, they will pay the ransom, just as Hollywood Presbyterian Hospital did in 2016. The hospital paid $17,000 in ransomware, a drop in the bucket when faced without full access to its electronic system for 10 days, Greene says.
“They could not perform certain procedures or certain tests because their system was down,” he adds. “That’s catastrophic for a healthcare provider.”
The typical ransomware price is around $3,000. Attackers often ask that it is paid in bitcoin, an online currency with a fluctuating cost of around several hundred dollars per bitcoin.
“It’s a smash-and-grab kind of thing, and we expect to keep seeing this kind of attack for the foreseeable future,” Greene says.
“Under HIPAA, ransomware now is a reportable breach, and healthcare providers must conduct a four-factor risk analysis to decide whether they should let HHS know,” Greene says. “And HIPAA is not the only story. When they have a ransomware attack, they also have to look at other federal and state laws that might apply.”
Ransomware and other breaches are legal issues, as well as security issues. Nearly all states have instituted breach notification rules. From an ASC’s perspective, this could mean learning the breach notification rules of many states. Every patient the ASC has seen has a record in the electronic file, and these patients could be from different places.
“That’s the new frontier for healthcare providers, and many are not aware or prepared to deal with the regulatory complexity,” Greene says. “How do relevant laws apply, and how do you meet those standards?”
HIPAA’s recent guidance outlines ransomware specifically because some experts claimed it wasn’t a breach since the attackers do not take information away from the healthcare facility, Greene notes.
“HHS said that even if they don’t get the information, ransomware is a potential reportable breach and subject to a four-factor breach analysis under HIPAA,” he adds.
From a security perspective, ransomware circumvents technical controls because someone has unknowingly opened the system’s door and let the bad guy in, Greene says. “You can have a wonderful firewall and security system, but that action by a user will circumvent all of those users.”
As soon as the security industry develops a strategy for addressing the attacks, the criminals — who often are from foreign countries with no extradition policy with the United States — will find a way to circumvent the security solution.
“Ransomware is easier than stealing data, and the answer is that the hackers are opportunistic, creative, and lazy — they go for the path of least resistance,” Greene says. “Why hack into Microsoft when you can send out 1,000 ransomware attacks and get $3,000 or $4,000 each time it works?”
‘Ransomware’ is latest threat.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.