Based on recent news stories and our experience, it appears that cybercriminals may be targeting healthcare providers with ransomware attacks. Publicly reported incidents and others of which we are aware have involved providers ranging from clinics and imaging centers to hospitals, and these entities have had to pay hundreds to thousands of dollars to gain access to their medical records, billing records or other vital computer systems – often after significant interruption of operations. On March 31, 2016, the U.S. Dept. of Homeland Security issued an alert about these attacks as a result of recent attacks on businesses including healthcare facilities and hospitals worldwide.
A big problem with these attacks is that they target one of the weakest links in a computer system – the human users. Important steps to mitigating this increasing risk are: (i) training to make sure healthcare providers and staff are aware of the dangers; and (ii) exercising caution when opening emails. Another defense is making sure data is backed up frequently and in a manner that does not allow ransomware installed on a main system to attack the back up.
If you are not familiar with ransomware and the mechanisms of attack, the short story is that criminals – often located overseas – access a computer system and encrypt the data so the data cannot be accessed without a password, which the criminals offer to sell to the data owner. Frequently, the mechanism of attack is an email that looks like a legitimate contact – from a personal acquaintance, credit card company, service provider or other common business – and which asks the recipient to open a file or web link. Once the file or web link is opened, the ransomware installs itself and, depending on the ransomware, may infect local files, network files, and other devices connected to the network. At this point, the only two practical options for most entities are to: (i) restore everything from a backup; or (ii) pay the ransom and hope the criminals provide the encryption key.
In addition to creating significant operational problems and possibly expenses, these attacks implicate compliance with federal healthcare privacy and security laws. For example, 45 C.F.R. §165.308(a)(7)(ii)(A) requires a provider to “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” A standard under 45 C.F.R. §164.310(a)(1) is that a provider must ensure that properly authorized access to records is allowed. And, any time an unauthorized third party accesses a provider’s computer system, it is necessary to determine whether a breach has occurred.
In summary, it has always been important to ensure compliance with healthcare data privacy and security laws to avoid regulatory problems – and now your compliance is being tested by malicious third parties. For this reason now is a great time to assess compliance and make sure providers and staff are trained about the risks and safe use of computer resources – and going forward, regular checks and training should be incorporated into your routine. Please let us know if you have any questions about these issues.