Surge of Records-for-Ransom Attacks Makes Tightened Digital Security More Important Than Ever
Practice Management Feature — August 2016
Tex Med. 2016;112(8):53-58.
By Joey Berlin
Millions of dollars are making digital transfers from reputable entities to criminals, exposing just how vulnerable physician practices are to technological invaders. All it takes for this nightmare scenario to transpire is one person in a physician's office coming into contact with computer malware.
Big practice, small practice, or in-between, the recent rise of ransomware poses a serious threat. When that threat becomes reality, it can leave physicians feeling helpless.
In a ransomware attack, cyber criminals use malware to lock an organization, such as a medical practice, out of its computer data and demand digitally paid ransom in exchange for an encryption key to regain access to the information. In April, the FBI told CNN that cyber criminals had already collected $209 million in the first three months of 2016 by extorting various entities with a locked computer server.
Ransomware has reached Texas, and its emergence highlights the importance of up-to-date security. Matt Murray, MD, chair of the Texas Medical Association Ad Hoc Committee on Health Information Technology (HIT), notes that until recently, cyber attack prevention strategies focused on maintaining confidentiality of electronic health records (EHRs). But the threat of ransomware is creating a "new normal," Dr. Murray says, and a ransomware attack is a different threat than an EHR data breach.
"It impedes the ability to take care of patients who are in the office, as well as those who call the office," Dr. Murray said. "At the end of the day, the physician is left struggling to take care of patients who are sick without access to information that is really needed."
The Texas Medical Liability Trust (TMLT) has received cyber extortion-related reports from 12 policyholders. John Southrey, director of product development and consulting services at TMLT, notes the level of sophistication in ransomware attacks can be high. The difficulty in battling the new threat once it hits means physicians need strong preventive measures.
"The people who are doing this are not some geeks in the garage or in their apartment," Mr. Southrey said. "I mean, that can be the case. … You've got some really smart people out there, but a lot of this is organized."
Insurance coverage in the event of a ransomware attack is crucial, and TMLT's medical professional liability policies include cyber liability coverage for cyber extortion. Those policies cover the expenses of an attack and, with TMLT's consent, reimbursement for the payment of cyber extortion funds to terminate the threat.
It Could Happen to You
Symantec's Internet Security Threat Report, Volume 21, April 2016, says ransomware attacks increased by 35 percent in 2015 across all industries.
"An extremely profitable type of attack, ransomware will continue to ensnare PC users and expand to any network-connected device that can be held hostage for a profit," the report said.
Health care is particularly vulnerable to the ransomware threat. KPMG's 2015 Health Care and Cyber Security Survey, which polled 223 U.S.-based health care executives, found four-fifths of respondents said cyber attacks had compromised their information technology.
Several large health systems have been high-profile ransomware targets.
In February, a ransomware attack knocked the computer systems at Hollywood Presbyterian Medical Center in Los Angeles off-line for more than a week, according to reports. The hospital ultimately decided to pay the ransom of about $17,000 in bitcoins, a digital form of currency, to obtain the decryption key and regain access to records.
In late February, according to the International Business Times website, a group of Turkish hackers claimed responsibility for the Hollywood Presbyterian hack, a claim the Times said was unverifiable without proof. At press time, the FBI was investigating the attack.
A South Texas physician alerted TMA about a ransomware attack the physician sustained earlier this year. When smaller shops are the target, the perpetrators adjust their ransom demands accordingly.
As Mr. Southrey explains, "Usually the ransom is reasonable because they know if it's too expensive, the practice is not going to pay it.
"In general, when we do our risk assessments for medical practices, we find privacy and security vulnerabilities, and they're not even aware of these vulnerabilities," he said. "They're a target because cyber criminals know that they don't have those resources like some organizations do. … They're kind of a training ground, or as some commentators have stated, 'low-hanging fruit' for cyber criminals to be able to get into their systems. And it's a quick buck for these cyber criminals if their ransom demand is reasonable, such as $500 or $600."
Part of the problem stems from small-practice physicians either not being aware of the pervasiveness of cyber threats or believing their operation isn't large enough to interest hackers. Patrick Casey, then-meaningful use and quality assurance specialist for the North Texas Regional Extension Center (NTREC), said in May there hadn't been any inquiries from physician practices about protecting themselves from ransomware. NTREC, scheduled to close in June, assisted small practices in transitioning to EHRs and also performed security risk assessments.
Mr. Casey says many physicians have "an overconfidence … in technical solutions. They usually believe a certified EHR system completely takes care of security for them," he said, adding that most small practices "don't think they're interesting enough to be attacked in any sense."
"There is very little awareness of the issue and there's very substantial overconfidence that somebody else, like their EHR vendor or IT contractor, is taking care of this for them. It doesn't surprise me that they're usually not worried about it. The only time they're worried about it is when they get hit or when they get audited [for meaningful use or HIPAA compliance]. And so far, nobody who's gotten hit has given us a call."
Common vulnerabilities TMLT has identified include out-of-date data security, careless use of passwords, and outdated computer systems. (See "Compromised Data.")
Prevention of a ransomware attack starts with strong data security training for staff, IT security, and making sure backup data exists. Malware often infects a practice's computer system when someone in the office unknowingly opens an infected email attachment or clicks on an infected link.
TMA recommends physicians back up their computer systems regularly to an external drive or a backup service, such as a cloud service provider. Physicians should equip computers with reputable anti-malware software and a firewall to help detect threats. TMA also recommends practices set up their email accounts to deny emails with executable file attachments, patch or update their software regularly, and enable automatic software updates.
"It's really having that backup and then good patch management, making sure that you do all your updates. You don't use end-of-life systems like Windows XP or a Windows Server 2003 because it's not supported anymore by Microsoft," Mr. Southrey said.
TMA Practice Consulting offers HIPAA compliance assessments that evaluate the strength of a practice's cyber security. (See "HIPAA Help From TMA.")
Abilene family physician D. Allen Schultz, MD, a member of the Ad Hoc Committee on HIT, calls ransomware "a likely threat of severe intensity."
"You really assess threats two ways: Is it likely, and how severe would it be if it occurred?" he said. "I think that it is likely and that the damage would be severe. I'm very concerned about that and interested in making sure that we've got good firewalls and try not to use any of my office computers for surfing the Web or downloading email or anything like that."
Dr. Murray says, along with a backup of EHR data, the most effective, foolproof protection against a ransomware attack is the ability to quickly restore the EHR and its data.
"If the practice can do that, they will not have to pay a ransom, and the impact on patient care can be minimized if the backup and restore tools and processes are effective," he said. But he says no system is completely cyber attack-proof, and physicians must have a business continuity plan for technology downtimes or disasters. The primary focus of a preventive strategy, he says, should be to ensure a degree of clinical continuity when the EHR system goes down.
"Physician practices should understand the tools and processes that are in place to back up and restore the [EHR] in the event of a disaster and to make sure they get tested. I emphasize again, to make sure they get tested," Dr. Murray said. "The first time a physician discovers that it will take a week to restore their [EHR] should not be after a real disaster strikes. Instead, the practice and their vendor should periodically undertake a disaster drill to test the backup and restore tools and processes."
Just Pay Up?
After an attack does happen, giving in to the criminals and paying the ransom to restore access is hardly an ideal solution. However, some hacked hospitals, including Hollywood Presbyterian, have done so.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Hollywood Presbyterian then-Chief Executive Officer Allen Stefanek told the Los Angeles Times in a Feb. 18 story. "In the best interest of restoring normal operations, we did this."
Mr. Southrey and others point out there is also a risk in paying the ransom. Although they'll get their data back in most cases, Mr. Southrey says, there's no guarantee they will. Also, hackers could breach the data themselves in addition to locking the practitioner out of it. He says if the hackers do breach the data, the practice may never receive confirmation they deleted it once they handed over the encryption key. A hacker who still has access to the data could use it for other criminal purposes.
In May, Kansas Heart Hospital in Wichita learned the hard way hackers aren't always true to their word. The hospital sustained an attack on its files and paid an undisclosed ransom, according to a May 20 report by KWCH-TV. But the hackers didn't give the hospital full access to its files, instead demanding a second payment. Kansas Heart said it refused to pay the second time, with hospital President Gregory Duick, MD, saying the institution decided paying the ransom was "no longer … a wise maneuver or strategy," according to the KWCH report. Dr. Duick said the hospital had a plan in place for such an attack and put it into action, and told KWCH "patient information was never jeopardized" as a result of the hack.
An FBI agent made news in security circles last October when he reportedly told an audience at a Boston cyber security conference some malware is so uncrackable that "to be honest, we often advise people just to pay the ransom." Joseph Bonavolonta, assistant special agent in charge of the FBI's CYBER and Counterintelligence program in its Boston office, told the conference, according to news website The Security Ledger, "The ransomware is that good." Mr. Bonavolonta said while victims of ransomware should contact the FBI, the bureau had been unable to crack the encryptions of some types of malware, adding "the easiest thing to do may be to just pay the ransom."
But in a blog post on the ransomware threat last April, the FBI said it doesn't recommend doing so.
"Paying a ransom doesn't guarantee an organization that it will get its data back. We've seen cases where organizations never got a decryption key after having paid the ransom," James Trainor, assistant director of the FBI's Cyber Division, wrote in the blog post. "Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals."
The FBI recommends organizations focus on prevention — having both employee awareness and technical controls in place — and creating a solid business continuity plan to act on if an attack does happen.
TMA plans to raise awareness of the threat of ransomware and help physicians manage all security and technology risks. The Ad Hoc Committee on HIT is keeping its eye on the development of the SECURETexas certification program, one potential cyber security risk-mitigation avenue.
In 2011, the Texas Legislature passed House Bill 300 by then-Rep. Lois Kolkhorst (R-Brenham). The legislation mandated the creation of a state compliance certification program. As a result of the bill, the Texas Health Services Authority contracted with the Health Information Trust Alliance to develop SECURETexas. According to HB 300, certification would be a mitigating factor if a physician violates the Texas Medical Records Privacy Act, potentially leading to reduced civil or administrative penalties in the event of a data breach.
Family medicine physician James Stefan Walker, MD, a member of the Ad Hoc Committee on HIT, beta-tested a small-practice version of the program using his practice, Corpus Christi Medical Associates, and reported back to the committee.
Through those reports, Dr. Murray said, "We see that there is a lot of value that can be gained by the practice as they have to go through the certification process. But we also see that more work is needed to further simplify the process. Our goal is to have a certification program that uses a security risk analysis process and provides a risk management plan that is designed specifically for a physician practice, is cost-effective, is feasible to achieve without straining physician and staff time, and is able to provide value by reducing and managing technology risks, including ransomware attacks."
In many organizations, large and small, Mr. Casey says, "The attitude is, 'What do I need to do to comply with the law?' not 'What do I need to do to protect my patients' data and my patients?' They don't yet have that thought."
"Honestly, I don't want doctors having to become experts in HIT security. They've got enough on their plate to be doctors," he said. "We have to find a way to continue to and even increase the support that we make available to the health care community."
Large hospital systems, he adds, "can probably afford a chief information security officer who does nothing but … worry about security and get monitoring software and all that kind of jazz. Those resources can be made available to every small practice associated with that hospital; otherwise, security expertise and support are not available to the independent practices in the ambulatory community."
Joey Berlin can be reached by phone at (800) 880-1300, ext. 1393, or (512) 370-1393; by fax at (512) 370-1629; or by email.
The Texas Medical Liability Trust (TMLT) compiled this list of 10 common causes of compromised patient data:
Cyber criminals/cyber attacks
- Lost or stolen portable devices
- Failure to use encryption
- Failure to promote patient data security within the work culture
- Out-of-date data security
- No cyber security plan
- Careless use of passwords
- Unsecure Wi-Fi networks
- Outdated computer systems
- Cloud storage that fails to meet HIPAA storage requirements
For more information, visit TMLT's slideshare on cyber security best practices.
HIPAA Help From TMA
Minimize your risk for compromised patient data by establishing and maintaining an effective HIPAA compliance program with the help of TMA Practice Consulting.
A consultant will use HIPAA guidelines to conduct a walk-through assessment of your practice and provide a written summary identifying deficiencies and explaining how to correct them.
The consultant also will perform on-site training for physicians and staff on the following fundamentals:
- HIPAA basics,
- Who is covered,
- Privacy and security laws,
- Using and disclosing protected health information (PHI),
- Protecting PHI,
- Authorization requirements,
- Myths about HIPAA, and
- Your responsibilities and next steps.
For more information, contact TMA Practice Consulting at (800) 523-8776 or by email.
Back to article
August 2016 Texas Medicine Contents
Texas Medicine Main Page