New Threats to Cybersecurity Call for Vigilance, Preparation
EXECUTIVE SUMMARY
Cybersecurity is a serious concern for healthcare organizations. The White House is urging hospitals and health systems to take specific steps to improve cybersecurity.
- Multifactor authentication is a strong deterrent to hackers.
- Updates and patches can eliminate weak points in software.
- Consider hiring a third party to test security strength.
Cyberattacks are a major threat to healthcare organizations, with the potential for HIPAA data breaches, the loss of critical patient data, the inability to provide care, and substantial financial losses from ransoms and litigation.
The White House issued a memo to business leaders that outlines specific steps companies can take to protect against and prepare for a ransomware attack:
- Use multifactor authentication.
- Encrypt health information and other sensitive data. If data stolen during a ransomware attack are properly encrypted, the incident is not a reportable breach under HIPAA and some state laws.
- Back up data regularly, test those backups to ensure they work, and store them offline.
- Install updates and patches promptly.
- Contract with a third party to test cybersecurity strength.
Patient records are stolen in about 75% of ransomware attacks on healthcare organizations, says Gary Salman, chief executive officer of Black Talon Security in Katonah, NY. The thefts also include human resources, operational, and financial data.
“That poses a tremendous problem for any healthcare organization because it is double extortion. They’re facing the encryption of all their files, and they can’t function until they are decrypted or restored from backup, but also the threat of publishing all the stolen data,” he says. “It’s forcing many organizations that may have valid, recoverable backups to pay the ransom because they don’t want the hacking groups to publish all of their patient records.”
In some cases, the hackers will contact the patients directly if the healthcare organization will not pay the ransom, Salman says. They will tell the patient that because the hospital or physician group will not pay, the patient must give them thousands of dollars or else their personal and financial data will be sold on the black market.
The federal government and the cybersecurity industry have improved the detection of vulnerabilities in software and increased the warnings to the healthcare industry, notes Johnny Lee, JD, principal and practice leader in forensic advisory services with Grant Thornton in Atlanta. That is good for the industry, but likely will be necessary for the foreseeable future.
“I think we’re going to continue to see regular updates about some significant software that has a vulnerability or some supply chain attack that grants malicious actors access they shouldn’t have,” Lee says. “What is different from a year or so ago is the coherence of the guidance coming from the federal government. It is much improved, and I think the agencies issuing guidance to covered entities are getting much better at specifics and best practice relays.”
Lee says a pitfall for some organizations is the practicability of complying with the HIPAA Security Rule requirement for procedures around security incident handling. Compliance will require more than just a written policy stating the procedures.
“The rule is clear that this should contemplate both responding to the security incident and the required reporting,” Lee says. “Companies that do this well have not only written it down, but they have exercised it before the bad day, so they have some muscle memory. They know they might be able to use email if it is compromised, so they have an alternate method — things that extend well beyond a written document that looks pretty.”
Patching vulnerabilities in software has become a top priority, notes Patricia A. Markus, JD, a partner in the Raleigh, NC, office of Nelson Mullins. Most large healthcare organizations employ good information security teams that monitor the latest patches and vulnerabilities, but smaller facilities and groups might not possess the resources.
Markus says risk managers should urge leaders to fully support information security efforts.
“It is important to be vigilant and respond promptly to the warnings from the government on these issues,” she says. “Once healthcare organizations have been alerted to these vulnerabilities, it is their obligation to follow through with the recommended fixes or defense mechanisms. But it can be a real challenge for some smaller entities without the resources or expertise.”
Healthcare Especially Vulnerable
Ransomware is particularly dangerous for healthcare entities, says Scott Bennett, JD, an attorney with Coppersmith Brockelman in Phoenix. When a healthcare entity loses access to systems or data, that can interfere with patient care. For example, it can prevent providers from accessing critical information about a patient’s medical history or allergies that is stored in the electronic medical record.
“Another factor is that the need for healthcare never stops. A hospital hit by ransomware is still going to have patients showing up in the emergency department needing care, as well as patients with scheduled elective procedures,” Bennett says. “That puts enormous pressure on healthcare entities to just pay the ransom so they can get on with providing patient care.”
A ransomware attack also might be a reportable breach under HIPAA. The Office for Civil Rights has taken the position that if ransomware locks down electronic protected health information (PHI), that is a reportable breach unless the entity can prove there is a low probability the information has been compromised, Bennett says. Healthcare entities hit by ransomware need to think about ways they might prove that, such as through a forensic analysis of the affected devices or systems.
“Healthcare entities don’t want to be thinking through issues for the first time in the midst of the ransomware attack. They need to have detailed incident response plans in place, and they need to test those plans,” Bennett says. “One useful exercise is a tabletop drill where the members of the incident response team walk through a hypothetical incident. It is important to have answers ahead of time to key questions, such as how the organization will continue to operate without access to critical systems or data.”
Bennett also suggests healthcare entities educate their employees about phishing emails, which are a common source of ransomware attacks. Make sure personnel know how to spot a suspicious email. They also should know what to do when they spot one (such as reporting the email to IT or security), and what not to do. They must not respond to the email, click on any links in it, or type in a username or password.
“Healthcare entities should also consider adding a highly visible label to every email that comes from an email address outside the organization, because it is increasingly common to see phishing emails that purport to be from a co-worker or boss,” Bennett says.
Ransomware Attacks Prompt Concerns
The latest healthcare advisory comes after myriad ransomware attacks and other cyberthreats affecting healthcare providers, says Morey Haber, chief technology officer and chief information security officer at IT security company BeyondTrust. The attacks, while devasting to technology, already have proven they can delay patient care, expose sensitive health information, and, in extreme cases, cause loss of life.
“No one is immune to cybersecurity threats. When an attack is successful, it can be more than just an inconvenience or attributable to straight-up downtime,” Haber says. “Sensitive information and lives are at risk.”
Haber lists several cybersecurity best practices that can help healthcare organizations mitigate the risks:
- Ensure all systems are patched for critical vulnerabilities in a timely manner. This is not only true for endpoints, but also infrastructure components like hypervisors that also can be a victim of ransomware.
- Ensure end users, regardless of role, are not logging into resources with administrative privileges unless absolutely necessary. Ransomware spreads via lateral movement, and a single attack on an endpoint can compromise an entire environment.
- Ensure passwords are complex and not reused across multiple systems or infrastructure technology.
- When possible, disable legacy remote access protocols like RDP and SSH, especially with critical infrastructure. Leverage a dedicated remote access solution to mitigate the threats of protocol-based ransomware distribution. This is the highest percentage of current attack vectors.
- Consider segmenting and disconnecting from the internet any and all systems that are end of life and can no longer receive security maintenance. This includes virtual machines running on hypervisors that might hold multiple paths for access and maintenance.
Take Proactive Approach
The recent guidance from the federal government establishes additional regulations any healthcare organization must abide by to be HIPAA compliant, notes Margaux Weinraub, CPCU, ARM, cyber practice leader at Graham Company in Philadelphia.
The key reminder from the federal government’s warning is that every organization is susceptible to cyberattacks, no matter what industry or how big or small the company. Given the nature of the industry and private medical information at stake for healthcare organizations, it is of paramount importance they take preventive measures to protect their systems and data from a cyberattack.
HIPAA-covered healthcare entities should take a proactive approach to safeguarding their data, protecting their employees and patients and consistently reviewing their contractual obligations with outside vendors, Weinraub says. This includes contracts with third-party vendors that store or have access to the entity’s personally identifiable information and PHI, which will outline insurance and indemnification provisions so risk exposure is clear and reduced to the extent possible.
“In addition, healthcare entities should be considering their organizations’ security holistically,” Weinraub says. “It’s not just something to be addressed with IT, but from the top down as a priority that involves all employees and departments.”
Update Security Constantly
Organizations should constantly update their cybersecurity measures to implement and update firewalls and operating procedures designed to prevent a breach, says Erin McDevitt, producer with the Graham Company in Philadelphia. This includes using multifactor authentication. A door includes both a door lock and a deadbolt, but if someone retrieves your password (or door lock), they should not be able to access all of your records (or open the door), she explains.
If an employee becomes aware of a vulnerability, he or she should be directed to acknowledge it immediately and not wait until it could become a larger issue.
“With the increase in merger and acquisition activity in the healthcare industry, it is imperative to know that organizations are most vulnerable to a cyberattack or breach while in the process of undergoing a merger or acquisition, or after its completion,” she says. “An organization’s risk management team and finance team must prepare for this vulnerability.”
The organization’s insurance broker should work closely with the executive team in the due diligence process to know the insurance provisions associated with each organization’s cyber liability program and determine what coverage will be in place upon completion of the new entity, if any tail coverage is required for the expiring programs and related issues, McDevitt says.
SOURCES
- Scott Bennett, JD, Attorney, Coppersmith Brockelman, Phoenix. Phone: (602) 381-5476. Email: [email protected].
- Morey Haber, Chief Technology Officer, Chief Information Security Officer, BeyondTrust, Johns Creek, GA. Phone: (877) 826-6427.
- Johnny Lee, JD, Principal, Practice Leader, Forensic Advisory Services, Grant Thornton, Atlanta. Phone: (404) 704-0144. Email: [email protected].
- Patricia A. Markus, JD, Partner, Nelson Mullins, Raleigh, NC. Phone: (919) 329-3853. Email: [email protected].
- Erin McDevitt, Producer, Graham Company, Philadelphia. Phone: (215) 567-6300.
- Gary Salman, CEO, Black Talon Security, Katonah, NY. Phone: (800) 683-3797.
- Margaux Weinraub, CPCU, ARM, Cyber Practice Leader, Graham Company, Philadelphia. Phone: (215) 567-6300.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.