Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Is Healthcare Sector Better Prepared for Ransomware Attacks?Several Organizations Have Avoided Paying Ransoms, Thanks to Backup Plans
Several recently reported breaches involving ransomware attacks in which organizations recovered without paying a ransom to extortionists offer a glimmer of hope that healthcare entities are getting better prepared to deal with such incidents.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
On May 6, Eden Prairie, Minnesota-based American Baptist Homes of the Midwest, which provides healthcare services in the senior housing communities it operates in six states, reported to the Department of Health and Human Services' a hacking incident affecting nearly 11,000 individuals.
ABHM is among a handful of healthcare sector entities that have reported ransomware attacks in recent months and were able to recover using backups to avoid paying extortionists for a decryption key to unlock its data. Others include business associate Doctors Management Services - which reported a breach impacting nearly 207,000 individuals - and the Southeastern Council on Alcoholism and Drug Dependence, which reported a breach affecting nearly 25,000 individuals.
In each of these cases, the organizations say they hired security firms to help them recover from the ransomware attacks using backup systems. But each organization reported the incidents to HHS as breaches because of the potential that individuals' protected health information was viewed or accessed by hackers in the attacks.
ABHM says it was the victim of a ransomware attack on or about March 10. "ABHM acted quickly to address the issue and was able to recover and regain control of the files and end the incident after only a few hours," it says in a statement.
"The incident occurred when an unauthorized party gained access to ABHM's computer system and infected the system with malware. The malware encrypted many of ABHM's records, which made them inaccessible, in an effort to extort money. We discovered the malware very shortly after it encrypted our records on March 10 and were able to stop the incident and secure the affected accounts."
ABHM says that although the ransomware attack did not impact its clinical and billing system, it affected the company's emails and general file systems.
"Due to the nature of the computer servers and the information stored on them, the unauthorized party may have had access to names and addresses of individuals whose data was maintained by ABHM," the statement says.
Other information, including, Social Security numbers, medical information - such as diagnosis, lab results and medications - and financial information may have been accessible to the intruders, ABHM says.
ABHM did not immediately respond to an Information Security Media Group request for additional details about the incident.
The healthcare sector - like many industries - has been dealing with a rise in ransomware attacks over the last few years.
A snapshot on Tuesday of the HHS HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals shows that since 2009, of the nearly 2,700 breaches posted, about 62 reported incidents that have been investigated by HHS involved ransomware attacks.
In 2016, HHS issued guidance advising that most ransomware attacks are reportable breaches under the HIPAA Breach Notification Rule.
The recently issued 2019 Verizon Breach Investigations Report says that for the second straight year, ransomware attacks accounted for over 70 percent of all malware incidents in the healthcare sector.
"Ransomware is typically not a targeted attack. The attacker is not specifically targeting one organization. They leverage bots to scan or blast out malicious email, etc.," says former healthcare CISO Mark Johnson of the consulting firm LBMC Information Security.
"So the fact that healthcare is dealing with these attacks more frequently than other industries could mean one of two things," he suggests. "One might be that other industries don't have the reporting requirements that healthcare does, and so we aren't hearing about it as much. Or the second reason may be that healthcare is more susceptible to these types of attacks because organizations are still using out-of-date systems and applications, and healthcare is still struggling with asset management, vulnerability management and patch management."
Recent news that more healthcare entities have been able to recover from these incidents without having to resort to paying ransoms, however, shows that organizations apparently are becoming more vigilant about having back-ups ready in case of disaster.
"Good backups, patching and asset management are all keys to being able to deal with or prevent these types of attacks," Johnson says.
Tom Walsh, president of consulting firm tw-Security, says that in addition to preparing backup systems, organizations should focus on workforce training and awareness about ransomware threats as well as social engineering drills. Plus, he advises them to "encrypt all confidential data - otherwise, the hackers will do it for you. And limit individual access to network and other resources to the minimum necessary."
While healthcare entities try to do a better job in dodging and responding to ransomware and other attacks, the cyberthreat landscape continues to evolve, Johnson warns.
"Most ransomware attacks require some user interaction, but what's really scary to me is the new Microsoft CVE-2019-0708 that came out last week," he says (see: To Prevent Another WannaCry, Microsoft Patches Old OSs). If left unpatched, the vulnerability in older Microsoft operating systems could open the door to a ransomware attack.
"The good news is that I haven't heard of a real attack yet," he says. "Microsoft has said in the past that typically they have seen a time lapse of 30 days between when they release a patch for a vulnerability to when there are attacks in the wild. If that pattern holds, we have 30 days from last week to find and patch these systems. That may not be enough time for cybersecurity programs that are less mature."