Feds focus on healthcare ransomware attacks

At the direction of the White House and the Department of Health and Human Services (HHS), the federal Office of Civil Rights (OCR) has begun to focus on the threats to the healthcare community of malware, software designed to do harm. They are specifically focusing on ransomware, malware that blocks access to a computer system until a sum of money is paid.

This shift in focus is the result of research and outreach conducted by HHS to better understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA) in light of known security threats. During the second half of 2015 and the early part of 2016, there has been a dramatic increase in the incidences of malware attacks, not only in the healthcare industry but also in the financial services and retail sectors. The Federal Bureau of Investigation (FBI), along with the OCR and various other agencies, have been issuing warnings all year in an effort to encourage IT departments to take precautions and be aware of the rise in criminal activity.

One result of that focus is a monthly educational newsletter, launched by the OCR in February. The newsletters highlight threats, including information on ransomware and tech support scams. Dave Peterson, senior vice president and chief information officer at Erlanger Health System in Chattanooga, Tennessee, told Medical Economics the newsletters can be beneficial to healthcare IT departments, adding that he doesn’t rely on this guidance completely, but finds them a useful supplement.

A report released by the Ponemon Institute and ID Experts in May 2015 shows a 125% increase in criminal cyberattacks over the last five years, making these incidents the leading cause of data breach. Another report is set to be published on May 12, 2016, and Rick Kam, president of ID Experts said “some areas have gotten worse since the last report, and there hasn’t been any improvement.”

Much of the rise in cyber attacks is attributable to ransomware. In a ransomware attack, the criminals, often referred to by authorities as “bad actors,” infiltrate an organization’s IT system through one of a variety of scams, and install malicious software. Malicious email attachments are common, but tech support scams are on the increase. In a tech support scam, a user receives a phone call, email or website popup with a warning that their system is infected. Then, a criminal masquerading as a tech support person offers to clear the infection. Instead, they install malware.

The ransomware in use today, according to Kam, is far more sophisticated than it has been in the past. The current version of ransomware locks up the information, destroys log files and destroys backups. The criminals then demand a ransom to release the system.

“It’s become the shortest path to the money for crooks,” said Kam. The FBI has actually instructed some organizations to pay the ransom. This practice has encouraged the perpetrators, leading to a sharp increase in attacks.   The OCR stresses that contingency planning is critical in such cases. When an organization completes a risk analysis, they should implement safeguards, including planning what will happen in the event of a malware attack.

Krem says a related question is whether or not a ransomware attack is a notifiable data breach. In other words, are organizations required to notify patients in the event of a ransomware attack? More traditional data breaches involved data being stolen or lost. With ransomware, the data isn’t removed from the organization’s system; it’s just locked down and made inaccessible.

The OCR lists four conditions that constitute a notifiable data breach, one of which is unauthorized access. “Just the fact that the bad actors were able to infiltrate your system is potentially an unauthorized access and therefore a notifiable data breach,” says Kam.