Ransomware In Healthcare: It’s Not Just a Provider Issue

Ransomware continues to be a troubling trend in healthcare. A recent Sophos survey of 5,600 healthcare IT professionals noted that 66% of their organizations had been hit by ransomware in 2021. This is a 94% year-over-year increase in healthcare ransomware attacks. The survey also indicated that 61% paid the ransom, which exceeds the global average of 46%.  

Historically we think of ransomware as a provider issue. Headlines such as “Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records,” don’t immediately make it clear that the breach was actually due to a breach of a business associate, not the health care provider. However, a review of the data breach reporting to the Department of Health and Human Services indicated that the breach was related to a ransomware attack at Eye Care Leaders that put more than 2,000,000 records at risk in June of 2022 alone. In another example, on July 1, 2022, a little-known company, Professional Finance Company, Inc. reported that in May of 2022 they notified more than 650 health care provider clients that were the victim of a ransomware attack they detected on February 26 that impacted over 1.9 million individuals.

A review of the Cases Currently Under Investigation on the Office of Civil Rights on the Department of Health and Human Services website indicated there were 282 breaches by Business Associates currently under investigation. 113 of those cases, involving over 1.7 million records, were related to Hacking/IT incidents which may indicate potential ransomware attacks.

Ransomware threats continue to grow, including attacks allegedly executed or backed by governments that have adversarial relationships with the United States, as evidenced by the July of 2022 Cybersecurity & Infrastructure Security Agency (CSA) alert on North Korean State-Sponsored ransomware attacks.

Just because your organization is not a healthcare provider does not mean that the bad actors are not after your data. Be aware that the risks are high. In addition to the cost of responding to the attack, you can expect lost customers, regulatory investigations, and class-action lawsuits. Within two days of Professional Finance Company disclosing its breach at least two class action lawsuits were in process. 

How to Protect Your Organization

There are several steps you can take to protect your organization. A good first step is to make sure you have the “basics” covered:    

Perform enterprise-wide risk assessments: Your risk assessment needs to be updated annually as required by HIPAA. Be sure your assessments cover all areas of your organization, even those you may consider to be low risk.

Train your workforce: Educating your staff on the dangers of ransomware is key. Conducting periodic phishing tests is also important to your cyber security. Be sure your workforce knows how to report suspected phishing or other suspected malicious activity. Require your help desk to verify identification for password resets, it is not safe to just assume the caller is an employee needing a password reset.

Keep your systems current: Keep all operating systems and malware protection software up to date by upgrading to the most current versions as soon as they are available. Constantly monitor your system for exploited vulnerabilities and establish a formal patch management program.

Multi-factor Authentication (MFA): Require MFA for webmail, VPNs, and all networks and systems that are considered critical/privileged access.

Access for system modifications and audit system changes: Do not allow users to install software that has not been reviewed for security risks. Provide administrator and privileged user access to only individuals who truly need it? Periodically audit the access and activity on your system.  

Backup Security: Keep your data backups current. Store them in a secured area that is not accessible from your primary network to prevent a bad actor from encrypting both your data and its backup.

Incident Response Plan: Design and test an incident response plan. Be sure you have contact information for all personnel that will need to be involved. Establish procedures to contact your workforce, cybersecurity insurance providers, and other interested parties on nights, holidays and weekends.  

No system is bulletproof, but organizations utilizing their customers protected health information have an obligation to ensure that security practices are in place to protect that data. They must also have processes in place to quickly respond to suspected incidents to limit the risk of unintentional loss or disclosure of protected health information.  

CompliancePoint has help healthcare organizations nationwide evaluate and strengthen their cybersecurity practices. To learn more about how we can help your organization, contact us today at 855-670-8780 or connect@compliancepoint.com.