This article was originally published on Health Data Management on June 9, 2016.
Healthcare organizations are aware of the omnipresent threat of ransomware on their information systems, and the danger it poses to their HIPAA compliance efforts and reputations, and are struggling to bear the expense of shoring up their defenses.
The rising number of ransomware attacks against providers is prompting security professionals to intensify data security efforts, as well as consider entirely different approaches to security.
Ransomware is turning the tables on how healthcare organizations now deal with security. For years, top security professionals have struggled with thefts that took data out of an organization's control--for example, through the theft of data on stolen unencrypted laptops or through employee snooping of records that contain protected health information. The incentive for avoiding these types of breaches was to avoid landing on the HHS Office for Civil Rights' web site of major breaches, and possibly face OCR-imposed financial sanctions and corrective action plans.
But ransomware is different. Information remains in a provider’s system but is inaccessible, locked away until a provider makes a financial payment to free it.
That scenario in large part has not been considered as a possibility until recently, says Brian Finch, a partner in the public policy practice of the law firm of Pillsbury, Winthrop Shaw Pittman. Consequently, intensified data security is not the answer in the ransomware era, he believes; organizations must look at different approaches to data protection.
"You need a fundamental review of how IT is set up," Finch contends. "Is security a core component on par with reliability and ease of use? This will require significant change for chief information officers and chief information security officers in how they set up their information systems. The availability assumption no longer holds."
Traditional reliance on policies, procedures and training to promote confidentiality also no longer are effective when the data integrity is threatened because it's not accessible, says Paul Bond, a partner in the Reed Smith law firm who specializes in IT and privacy issues.
With the availability of health data in peril, organizations must have contingency plans in place so they have an action plan for what to do when facing a ransom incident.
Should they pay the ransom and get their data back? Some organizations may not have an alternative if their data back-up processes were not optimal.
Some hospitals have paid ransom. For example, Hollywood Presbyterian Medical Center in Los Angles struggled for 10 days to regain its data, then paid $17,000 in Bitcoin--an Internet currency--to get access back to its data. Kansas Heart Hospital paid an undisclosed amount of ransom, but did not get back all its data after the attackers demanded another ransom, and the hospital refused.
MedStar Health, serving the Baltimore-Washington metropolitan area, fought off a ransomware attack, but it likely was far more expensive and disruptive to combat it than if it had decided to pay a ransom.
However, the fear is that paying a ransom only makes it more likely that an organization will be attacked again. That's the warning of attorney Daniel Gottlieb, a partner in the McDermott Will & Emery firm in Chicago. He advises clients to employ good backup, firewall and virus scanning policies as well as establishing a high level of employee training.
In general, paying a ransom does not work and attacks continue, in part because those now attacking the organization aren't necessarily the ones who conducted the initial attack, says Ben Desjardins, director of security solution marketing at Radware, a vendor of applications and security software for data centers.
"Word gets out on the `dark web' that you paid," he adds. Consequently, the combination of paying ransom and not hardening your network could be dangerous. "You need to change the economic dynamics; increase your security posture to increase the cost of targeting you."
However, Bond acknowledges that while it's easy to give legal advice to not pay a ransom, not paying an extortion demand can imperil care to patients. Consequently, it is prudent to conduct a risk assessment on the question of paying.
Police agencies may be able to aid providers who are deciding whether to pay a ransom, Bond notes. "Among cyber criminals, there is an increasing amount of information about their reputations for following through on their word and restore access. That economy looks like our economy-- people have companies, brands and reputations. You'll get your reputation dinged if you don't do what you say you'll do."
For many years, healthcare organizations have had a narrow view of security rooted in complying with HIPAA privacy and security regulations, Bond says. Now, providers and payers must look at security in new ways.
That's what retail, financial and energy industries did when they started being hit with denial of service attacks, which flood a network with messages to shut it down for purposes of extortion or disruption, or punishing companies for perceived poor corporate behavior.
and follow fundamental practices, Mehta says. Organizations that are not diligent in patch management, information systems segmentation and security monitoring will be the ones most at risk for ransomware attacks.
These industries learned that the standard policies, procedures and training to promote confidentiality are insufficient now that data integrity and accessibility are constantly threatened, Bond says. "You need best practices that go beyond HIPAA's check-the-box compliance."
Those best practices emerge when information security pros, and the legal teams that support them, look more broadly at security and then can change their mindsets.
However, other security professionals do not believe a fundamentally new approach to security is warranted just because of the current threat. "Today it's ransomware; tomorrow, it will be something else," says Raj Mehta, a partner in the Deloitte cyber risk services unit. "Attackers will go to third parties, medical devices and other flavors."
Healthcare organizations need to prioritize risk management practices and follow fundamental practices, Mehta says. Organizations that are not diligent in patch management, information systems segmentation and security monitoring will be the ones most at risk for ransomware attacks.
(Click here to view chart on original article)
"Get ready for this to be the norm-- you will be regularly attacked," he counsels. "Secure as best as you can, because healthcare will be a target until the industry changes its security approach; then crooks will go look for a more vulnerable industry."
Ransomware has risen as a threat over the past five years, and healthcare and other industries were not prepared, says Rahul Kashyap, chief security officer at Bromium, which sells software to eliminate malware by moving it into a virtual machine that looks exactly like a user's computer.
The core reason for vulnerability is that security was underfunded and many IT systems were not designed to be secure, he explains. In healthcare, many hospitals came to believe that they wouldn't be attractive as an attack target.
Even though most provider and payer organizations now understand the threat, they are scrambling to defend themselves. The rush to hire security personnel, and particularly chief information security officers, is one byproduct of the response to the attack, Kashyap notes.
Ransomware has risen in popularity with criminals because it's easy to do and can be quickly monetized. Within a few days of a ransomware attack, the perpetrators know if they will get paid. The cost of hacking and infecting computers is low, so even if only 10 percent of victims pay the ransom, hackers profit handsomely.
Since 2013, Kashyap says, criminals have increasingly built more effective ransomware that is more effective at circumventing security measures. For instance, there is a software product called Tor that grants anonymity of online activity--thieves now are using the privacy protections of Tor to hide ransom payments and reception of the ransom by an attacker.
While the healthcare industry historically has underfunded data security, Desjardins of Radware believes that is changing now because of the heightened threat environment. "Proactive security will always be cheaper than reactive security," he counsels.
Damage from ransom attacks is not just financial--for example, healthcare organizations become victims of highly publicized ransom attacks can take big hits to their reputations and patient trust. This reality is starting to hit home with providers, Finch says. Still, more providers need to pay attention because ransomware is widely available, inexpensive to use and is not a problem that will be going away.
"You need to reduce the number of entry points for data so you can monitor the points that remain," Finch explains. "You don't need to know what ransomware looks like when scanning, just that email or something else is operating in an unusual way."
Finch never advises clients to pay ransom, but can understand that sometimes that is the only option if an organization hasn't had good data backup policies. Some ransomware, however, is so sophisticated that it can get into backup files and corrupt them, in which case, payment still may be the only option. And the threat isn't going to improve anytime soon, he warns.
Cyber criminals face hardly any incentives to stop, he says. "There is almost no way they will be arrested. They have the luxury of time and are immune from law enforcement. This is an unfortunate time for healthcare to be bearing the brunt, but the low-cost lesson is that you need to get to the forefront of improving security."