Healthcare I AUGUST 14, 2017

Ransomware Attacks Against Entities Governed by HIPAA

Cyberattacks—sometimes accomplished through the use of ransomware—against healthcare providers, their associated professional entities, and downstream business associates (each generally referred to herein as a “healthcare entity” or “healthcare entities”) are on the rise. Healthcare entities are attractive targets because they: 1) typically obtain and retain broad protected health information (“PHI”) (e.g., most healthcare entities receive and retain patients’ names, addresses, dates of birth, phone number(s), social security numbers, financial data, etc.), which may be stored in a single location; 2) have not historically operated in an electronic environment (i.e., healthcare entities have historically maintained paper records containing PHI, and may have only recently implemented computer networks, servers, EMR systems, etc. that store and transmit electronic PHI (“ePHI”)); and 3) require access to up-to-date ePHI (e.g., accessing medical histories, prior treatment, etc.). The combination of the foregoing, in addition to other factors, makes healthcare entities attractive targets to those with nefarious intentions.

1. What is Ransomware?

As the name suggests, ransomware is a type of malware (malicious software) that infiltrates computers, networks, and servers and encrypts the data stored therein in order to essentially lock permitted users out of such systems until the users pay a ransom (usually via cryptocurrency such as Bitcoin). Ransomware may be introduced into a computer system or network through spear phishing activities designed to cause the recipient in the organization to: i) open a deceptive email attachment (perhaps from a commonly known medical vendor); or ii) click on an insincere website link, which enables the ransomware malware to be installed on the computer. Once the ransomware is installed, the ransomware scours the infected computer and associated network and services to locate the ePHI and other data and uses advanced algorithms to encrypt the data. Once encrypted, the data can only be decrypted by entering the decryption password (which is known only to the individual whom sent the ransomware attack). If the nefarious individual who deployed the ransomware attack provides the decryption key, the target healthcare entities may be able to decrypt the information and potentially regain access to the data (assuming the ransomware was not programed to destroy the data). Irrespective of the deployment mechanism, the reality is that, unless a user notices slow computer processing or an information technology (“IT”) professional notices an issue within the system, the ransomware is often only first discovered when the systems display a message that the user must pay a ransom to access the data. It should be noted that while monetary gain upon payment of the ransom is the motivating factor, some ransomware will still destroy the captured data even if the ransom is paid.

2. Data Breaches and Ransomware Attacks.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), The Health Information Technology for Economic and Clinical Health Act (“HITECH”) (which was enacted as part of the American Recovery and Reinvestment Act of 2009) and their associated regulations are a complicated set of standards that set the baseline compliance requirements for covered entities and business associates. Although HIPAA and the HITECH Act have been around for many years, and the Omnibus Final Rule was issued in 2013, healthcare entities have (in some cases) remained behind the curve in properly safeguarding ePHI for various reasons. Entities know to physically lock the doors to the office suite and implement other physical safeguards, but some providers are not as confident on how to protect ePHI in a digital environment in order to comply with the HIPAA Security Rule. Given the frequency with which such security incidents (which is a specifically defined event under HIPAA) are occurring (some of which are a result of ransomware attacks), healthcare entities should heed the warnings and take proactive steps to update their HIPAA compliance, protect their systems and train their staff of the risks.

Security incidents (which may be considered breaches of unsecured PHI, in accordance with HIPAA, depending on the facts and circumstances) are a significant problem in the healthcare industry that are occurring with greater frequency. For years, many healthcare entities focused on preventing outward facing breaches of unsecured PHI (e.g., a staff member losing an unencrypted laptop or flash drive, etc.), but over the past few years, healthcare entities are being attacked by in-bound threats with greater frequency with the purposeful intent to penetrate their systems. And, although ransomware attacks are typically reported by news outlets as affecting major health systems, a ransomware attack can be deployed against a smaller healthcare practices with equal harm. According to The U.S. Department of Health and Human Services (“HHS”) Fact Sheet on Ransomware and HIPAA (published in 2016), a U.S. Government interagency report indicated that there was a three hundred percent (300%) increase in the number of ransomware attacks occurring in early 2016 compared to the amount that occurred in 2015 (which, at the time, indicated that in early 2016, there were more than 4,000 ransomware attacks occurring daily).

3. Proactive Measures.

Proactively addressing HIPAA and security related compliance is the best defense. For instance, and while certainly not an exhaustive list, healthcare entities should consider the following (and others) with their healthcare counsel and IT professionals:

a. Global HIPAA Compliance. Healthcare providers should consider assess their general compliance with HIPAA, which sets a minimum required floor for compliance. In connection therewith, healthcare entities should consider assessing their compliance with the Security Rule’s administrative, physical and technical safeguards and consider taking additional steps that may be above and beyond the minimum requirements required by HIPAA. Moreover, in furtherance of the HIPAA compliance, healthcare entities should consider conducting thorough risk assessments to identify potential vulnerabilities to the confidentiality, integrity and availability of all ePHI that the healthcare entity creates, receives, transmits or maintains and implement safeguards to mitigate those risks and vulnerabilities.

b. Obtain Guidance. Given the serious nature of safeguarding ePHI and complying with HIPAA, in addition to the fact that not all healthcare entities have taken all steps necessary to protect themselves in accordance with the minimum requirements mandated by law, healthcare entities should consider working work with experienced healthcare counsel who can assist the healthcare entity with implementing appropriate and reasonable policies, systems and safeguards to improve the current status quo to comply with applicable law. IT professionals will also play an important role in assisting the healthcare entity in overall security.

c. Routinely Backup Data. Healthcare providers should consider how data backups are conducted (and whether such backups are stored within the network or separate from the central networks). The healthcare entity should consider how such backups might be compromised in the event of a ransomware attack. Note that any backups should be encrypted (to the extent possible) and otherwise comply with other HIPAA requirements so such backups are not independently subject to a potential breach scenario. Moreover, the healthcare entity should regularly confirm that the backups are capable of being restored in the event that their systems are compromised or held hostage.

d. Provide Staff Training. Most individuals who work in a healthcare setting want to do the right thing to serve patients and comply with office policies and applicable law. However, given that HIPAA can be complex and applying HIPAA rules to real-life situations can be challenging, staff members should be instructed as to required practices and offered an opportunity to ask questions so they can understand how to handle various situations. Training staff members is as important as the implementation of technological and administrative safeguards as staff members may receive a phishing email that could allow the malicious user access to the company’s systems. Thus, staff members need to be trained on overall HIPAA compliance and also specific risks. Staff members should also be trained as to how they should respond in the event of a security incident and how the healthcare entity will operate following such security incident.

e. Minimum Necessary Access. Each staff member should have a distinct limitation to which IT systems that staff member is authorized to access (which is commensurate with their position).

4. Conclusion

A security incident in any industry is devastating, but a security incident that results in a breach (pursuant to HIPAA) in the healthcare space can be financially and reputationally disastrous. Irrespective of the type of services that the healthcare entity provides, from a general business perspective and a HIPAA compliance perspective, healthcare entities need to take affirmative steps to implement a robust HIPAA compliance plan, implement recommended security measures, perform broad risk assessments and address any identified deficiencies, and educate personnel so the provider is better prepared in today’s technological environment. While ransomware is a legitimate threat that should be considered, the more global message is that healthcare entities need to proactively and robustly consider their HIPAA preparedness to include all potential risks and vulnerabilities, mitigate any identified risks and vulnerabilities, and have a plan to respond to any security incident. Given the facts and circumstances of the security incident, the healthcare entity will need to work with healthcare counsel and IT professionals to determine if the security incident resulted in a breach under HIPAA (the specifics of which are beyond the scope of this bulletin) and address subsequent remedial measures and actions.

This bulletin is for general informational purposes only, and does not constitute legal advice.