In a previous post, we broke down some basics about the surging cyber-threat of ransomware. What was once a vague, upcoming threat is now taking the mainstage as thousands of attacks occur per day across all major industries. Variants of the malware are multiplying 4.3 times what they were between Q1 of 2016 to Q1 of 2017. Not only are the attacks and the attackers increasing, but the Health and Human Services’ Office for Civil Rights is standing firm on upholding compliance laws, doling out fines to businesses that are mishandling sensitive information making it susceptible to ransomware attack. This leaves vulnerable industries caught in the middle. The time is now for healthcare providers to engage in proactive measures against this threat, such as risk assessments and keep their patients top of mind.
In 2016, 72% of all malware attacks on the healthcare industry were ransomware attacks and the healthcare industry were the second most targeted industry, behind finance, with 15% of total ransomware attacks that year. This puts the healthcare industry in a compromised position. The management and protection of ePHI is paramount and ransomware specifically targets the human element within businesses, exposing the susceptibility of human error. As Bryan Sartin, executive director of Verizon Enterprise Solutions Global Security Services, states, “Cybercriminals concentrate on four key drivers of human behavior to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty.” By the end of the first six months of 2017, the antivirus program Symantec blocked around 319,000 ransomware infections alone, a significant increase from last years numbers.
Part of the fallout from the rise in these attacks is the grey area ransomware and their breaches fall within HIPAA regulations. Due to the unique nature of ransomware attacks, specifically concerning the fact that when a system is locked up by the malware the files within are not usually redistributed, there is a degree of uncertainty on whether or not they classify as a breach of patient confidentiality. The healthcare industry deals with highly sensitive material and reporting is vital to maintaining security of patient records.
This ambiguity of what constitutes a breach has led to a severe underreporting of breaches. The previously listed numbers of known ransomware attacks are disproportionate to the amount of attacks being reported, as cited by the Office for Civil Rights. The hesitancy to report is usually due to a number of worries including: further safety risks (they are susceptible to future attacks), fear of disrupting business operations from shut downs and IT overhauls, employee fears of reporting falling for scams, and simply fear having to admit the breaches place patients at risk.
The attempts to downplay breaches stems from a seemingly natural desire to provide a sense of security to clients while they work through the problem. This lack of transparency can be a killer of trust in the eyes of clientele. Malware attacks are no longer a possibility and more of an inevitability, but when businesses can get in front of the attack and communicate with their clients about what happened and what will be done, these clients have shown a higher tendency toward forgiveness.
Andrew Liuzzi, executive vice president of Crisis and Risk Management for Edelman, a public relations company made the following quote from an article regarding breaches: “Patients need to be the North Star. It’s very simplistic, but we need to make sure we communicate to our key audience effectively and clearly. Not just with a press release, but looking at other avenues for communication. Medical data is a personal topic, and the message needs to match that.”
As of July 2016, CMS reported that breach disclosure rules within HIPAA do apply to ransomware. Found within a fact sheet provided by the U.S. Department of Health and Human Services and echoed in an article from Health Leaders Media, HIPAA requires these actions to be taken by healthcare businesses:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information, as well as establishing ways to mitigate or remediate these identified risks.
- Implementing procedures to take precautions against malware.
- Training users to detect malware and report such detections.
- Limiting access to protected health information to people and software requiring such access.
- Maintaining disaster recovery, emergency operations, frequent data backups, and practice restorations.
Remaining compliant with these requirements will keep your business protected and ready for prevention and recovery against ransomware attacks. The declaration from CMS to include ransomware as breaches comes from seeing different types of ransomware attacks that no longer simply hold the information ransom, but will actually make copies of all the information to sell or for later grabs at ransomed money.
There is added incentive now as a failure to comply and report could result in fines. As seen in the recent settlement between Presence Health and OCR wherein, Presence Health paid $475,000 for untimely reporting. Their incident occurred in October of 2013 at a surgical hospital in Joliet, Illinois where the ePHI of 836 clients disappeared. They failed to report the breach within the required 60 days, waiting until January 31, 2014 to do so.
Another incident, this time involving the Denver-based Metro Community Provider Network, a federally-qualified health center, failed to conduct a risk assessment after a reported breach. The hacker obtained 3,200 clients’ ePHI in January of 2012, but did not follow through with their risk assessment until mid-February of that year which when conducted did not meet the requirements of the Security Rule. Reported on April of 2017 by HHS, Metro Community Provider Network is required to pay $400,000 for this lack of security management.
These are not isolated cases either as OCR is looking to be more aggressive with their pursuit in penalizing HIPAA violations. In the front half of 2016, approximately $15 million has been collected in settlements. Becker’s Hospital Review collected the 10 biggest of these fines which range from $1.7 million to $5.55 million. The largest of these was directly related to three breaches of patient records.
While malware attacks ramp up, so does OCR’s enforcement of reporting on these breaches of confidentiality and requirements for a risk analysis. HIPAA has laid out guidelines for their expectations and these expectations will help keep ransomware and fines associated with it at bay. Don’t become a victim twice over and have plans in place to deal with a problem that will continue to grow in the coming years.