U.S. hospitals have been faced with an alarming surge in ransomware attacks this year. In these attacks, hospitals find themselves without access to critical patient information. In addition to seriously threatening patient safety, hospitals themselves are also harmed. Necessary interruptions to services while recovering from the attacks damage organizations’ reputations, and financial costs can include ransoms along with costs associated with liability.

Ransomware attacks are a growing threat. Organizations need to focus on necessary steps to protect their data and to stay current on new security requirements arising to meet this threat.

In the first part of this two-part series, we’ll look at what ransomware is, and what makes hospitals and healthcare organizations particularly vulnerable to ransomware attacks. In the second part, we’ll take a look at solutions all organizations (not just hospitals) can employ to mitigate the risk from these attacks, and also discuss possible future changes to security requirements that may develop in response to the increase of ransomware related cybercrime.

What is ransomware?

In their January 2016 brief, “Hacking Healthcare IT in 2016,” the Institute for Critical Infrastructure Technology refers to  ransomware as “the primary threat to organizations in 2016.” Ransomware is a specific type of malware that works by preventing or limiting users from accessing their systems or data, often by encrypting the data. This kind of malware requires payment of a ransom in order to regain access to systems or data. Of course, even after a ransom is paid, there is no guarantee that access will actually be returned or that data will be undamaged. Some examples of ransomware include Locky, CryptoLocker, and CTB Locker.

Why are healthcare organizations so vulnerable to ransomware attacks?

Within just the past few months, hospitals that have reported attacks include Hollywood Presbyterian Medical Center in Los Angeles, Methodist Hospital in Kentucky, and MedStar Health’s ten hospitals and over 250 outpatient clinics in Maryland and Washington D.C. Officials suspect that additional attacks may have gone unreported by organizations choosing to deal with such matters internally rather than risking the damage to their reputations that publicly acknowledging vulnerabilities can bring.

What makes hospitals such tempting targets for cyber criminals? One reason is that hospitals rely on having fast access to accurate and up-to-date information in order to provide care for patients. This means they are more likely to pay a ransom than other organizations might be, as they are trying to avoid harm to their patients (up to and including death) and of course, lawsuits.

Another less obvious reason is that hospitals have until present been focused primarily on educating their employees mainly in HIPAA compliance, and much less on cybersecurity. This leaves hospitals employees especially likely to fall victim to social engineering attacks such as phishing, which can give ransomware attackers the entry they need.

The older software used by some hospitals can also provide a tempting point of entry for ransomware attackers. For example, a recent alert from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team warns that certain systems used to automate the tracking and dispensing of medical supplies contain numerous security vulnerabilities.

Additional Links:
TrendMicro – History of ransomware.
Wired.com – Why hospitals are the perfert target for ransomware.
DataBreachToday.com – Security flaws in legacy medical supply systems.

(Part 3 in our series on IT Compliance Concerns.)

What company types are affected by HIPAA compliance?

What is the Health Insurance Portability and Accountability (HIPAA) Act?
In the first two parts of this series, we discussed the Sarbanes-Oxley (Sarbox or SOX) Act and what it means in terms of Information Technology concerns. In this article, we’ll look into what  the Health Insurance Portability and Accountability Act is, and what it means to your company.

Enacted in 1996, the main purpose of the Health Insurance Portability and Accountability Act (also known as HIPAA or the Kennedy-Kassebaum Act) is to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. Title I of HIPAA is concerned with protecting health insurance coverage of workers and their families when they change or lose their jobs; Title II requires the establishment of national standards for electronic health care transactions and the establishment of national identifiers for providers, health insurance plans, and employers. (Title II is also referred to as the Administrative Simplification, or AS, provisions.)

What company types are affected by HIPAA compliance?
Covered entities and their business associates are the entities primarily affected by HIPAA.

Under HIPAA, there are three types of covered entities: health care providers, health plans, and health care clearing houses.
●    Examples of health care providers include hospitals, clinics, medical and dental practices, nursing homes, hospices, and pharmacies.
●    Health plans can include HMOs and employee-sponsored health plans.
●    Health care clearinghouses include entities that transmit claims or billing information.

Companies that provide services for covered entities and handle Protected Health Information (also known as Personal Health Information or PHI) can be considered business associates under HIPAA. While it is not always easy to determine if a company is considered a business associate, typical examples can include accounting firms, law firms, consultants, software vendors, ISPs, and cloud storage companies. If such a company works with covered entities, their contracts with those covered entities may require them to be compliant with HIPAA.

What are the penalties for failing to comply with HIPAA?
Penalties for covered entities include monetary fines of $1,000 per violation up to an annual maximum of $25,000. These fines are not the only concern; for criminal violations, the fines can be as high as $250,000 and may include up to ten years in prison. And while business associates cannot be prosecuted under HIPAA, they may still face certain penalties. A violation of a business agreement with a covered entity might lead to termination of contracts, and could lead to the risk of civil lawsuits filed by harmed individuals.

How does the HIPAA Privacy Rule work?
Covered entities and business associates are subject to the HIPAA Privacy Rule, which concerns the use and disclosure of PHI. Types of information covered by this rule include name, address, date of birth, Social Security number, any other information that can be used to identify a patient. It also includes information about: a patient’s past, present, or future health condition; the provision of health care to the patient; the past, present, or future payment for the provision of health care to a patient.

All of these requirements naturally mean challenges for your IT department. We will discuss these in the next part of our series on IT compliance concerns.)

Coming soon: Part 4 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About HIPAA Compliance?”

To learn more about HIPAA and related issues:

●    How companies are (and are not) allowed to use PHI (Protected Health Information).
●    Additional details concerning business associates and subcontractors.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team