Lessons from Ransomware Breach Reports'Wall of Shame' Offers Details on Several Incidents
While the federal health data breach tally shows that hacker incidents continue to rise in 2017, regulators are offering up some insights from their investigations into a handful of ransomware-related breaches reported in 2016.
A May 8 snapshot of the Department of Health and Human Services' "wall of shame" website of breaches affecting 500 or more individuals shows that of 105 breaches reported so far in 2017, 35 incidents - or more than a third - involved hackers. The hacking incidents account for about 46 percent of the 1.84 million individuals affected by all breaches reported so far this year.
Some 1,926 breaches impacting a total of 173.4 million individuals have been reported to HHS since federal regulators began keeping a tally in September 2009. Of those, 305 hacking incidents affected a total of about 129.4 million individuals, or about 74 percent of all breach victims. The largest hacking incident to date is the cyberattack reported in February 2015 by Anthem Inc., affecting nearly 79 million individuals.
Of the top five largest breaches added so far this year on the wall of shame, four are listed as hacking incidents.
The largest 2017 breach so far was reported by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp. That incident, affecting 698,000 individuals, involved a former Med Center Health employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, "without any work-related reason to do so," the company said in a statement.
The second largest breach added is a hacking incident affecting almost 289,000 individuals reported by Urology Austin on March 22. That incident involved a ransomware attack - an increasingly familiar theme.
"Unfortunately, I think the bad guys are learning that many healthcare organizations are easy targets with precious data - and, hence, some will pay the ransom," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Many hospitals and other providers live with very real budget constraints and staffing shortages. And, frankly, security isn't usually a top priority, taking a back seat to electronic health record implementation and upgrades, or e-prescribing, for example."
Federal regulators say they investigate all reported health data breaches affecting 500 or more individuals. HHS' Office for Civil Rights typically posts in an online spreadsheet additional information about circumstances surrounding those breaches once it verifies the details or investigations are completed.
To date, the spreadsheet verifies the details of 10 breaches reported as hacking incidents involving ransomware. Each of those incidents were reported in 2016; the largest, reported last April, targeted Ohio-based Mayfield Clinic .
According to the details on the OCR spreadsheet, that incident involved a fraudulent email to Mayfield Clinic with an attachment that triggered a download of a ransomware virus to more than 23,000 email addresses held by the covered entity's business associate on its behalf. The protected health information involved in the breach included email addresses.
"Following the breach, the CE assessed system controls, provided anti-scanning updates to its employees' email, deleted the email addresses it maintained on its BA's systems, and put a hold on the future electronic distribution of newsletters. OCR obtained written assurances that the CE implemented the corrective actions listed," OCR notes.
Other Ransomware Attack Findings
In addition to the ransomware attack reported by Mayfield Clinic, key findings from other 2016 ransomware related breaches investigated by OCR include :
- Several incidents reported to HHS by covered entities involved ransomware attacks on third-party vendors, including business associates or reinsurers, who are not considered business associates under HIPAA.
- Several organizations reported paying ransoms to unlock data, although the amounts of the ransoms were not listed.
- In at least two cases, there was no initial apparent breach of PHI. However during restoration efforts to recover from the ransomware attack, backup devices failed, resulting in the loss of data.
- In one case, the hackers placed encryption on top of the healthcare provider's encryption, preventing access by the covered entity.
- In another incident, a medical center reported that ransomware encrypted many of its "merge documents" and held them for ransom, preventing the covered entity from printing any documents that required merging data. An internal investigation revealed that the ransomware had been introduced into its systems through an "add-on" via the internet.
- A family practice discovered that a ransomware virus accessed its server through an open firewall port. In response to the breach, the covered entity initiated a comprehensive review of its privacy and security safeguards, secured all open ports in its firewall, reviewed and secured all user accounts and strengthened passwords and installed additional security software.
Lessons to Learn
Healthcare entities and business associates can learn from the ransomware mishaps of others, including the findings spotlighted by OCR in the wall of shame breach reports.
"Covered entities and business associates should periodically verify their backups can be restored," says Keith Fricke, principle consultant at tw-Security. "This includes monitoring the results of daily backups, looking for errors indicating the backups may not have completed successfully."
Another good practice, he says, is to make sure the backup process is capable of copying open files. "Some backup software cannot properly make a copy of a database in use, for example," he notes. Also, organizations need to understand the frequency of their backup/data replication schedule. "This may help avoid situations where ransomware-encrypted files get backed up," he adds.
Borten advices that backups need to be segregated from the production environment. "For decades we've known that a major natural or environmental disaster calls for offsite backups that aren't subject to the same local threats and vulnerabilities. Increasingly, organizations use the cloud for backup as an alternative," she says. "Second, it doesn't end with creating backups. Those backups and the restore process must be tested periodically to ensure the data is available and the process works."
Firewall Rule Modifications
As for preventing ransomware from entering a network through open firewall ports, Fricke suggests that firewall rule modifications "should go through some kind of change management process that reviews the changes before they are made. This should include understanding the impact of changing the rules and what possible effects the changes have on the security posture of the organization."
Mac McMillan, president of security consulting firm CynergisTek says a specific hardening guide should be used when building firewalls. "Access should be restricted to those authorized to administer; a strict policy of blocking access unless justified should be followed; periodic testing of firewalls to detect open ports should be conducted and real-time auditing of firewall logs and changes should alert IT staff," he adds.
Reacting to the incident involving ransomware being introduced into a systems through an internet "add on," Fricke notes: "Only an organization's IT department should be authorized to download and install software, where possible and practical. Computers should be configured to restrict administrative access for everyday users, which usually prevents unauthorized installation of most software. Leaving software installations - including add-on software - to IT reduces the likelihood of malware infections and improperly licensed software on computers."
Temptation to Pay
Although the FBI recommends against paying ransoms under any circumstances, it's not surprising to see in OCR's review of ransomware breaches that some healthcare organizations have paid a ransom to recover their data.
"If an organization is unable to restore its data - particularly PHI needed for patient care - then this is a business decision and not necessarily unreasonable," Borten says.
McMillan says more organizations are paying ransoms "primarily out of frustration, and in recognition of the disruption, cost and reputational impacts of these attacks. It's not a preferred option by anyone, it's more of a 'damned if you do damned if you don't' decision."