Breach is Among Recent Incidents Posted on ‘Wall of Shame’
As hacking incidents appear to spike on the federal breach tally, a small Kentucky-based physician practice is the latest healthcare entity to report a major breach involving a ransomware attack.
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
Ashland Women’s Health, a solo, obstetrician-gynecologist practice in Ashland, Kentucky on April 4 reported to the Department of Health and Human Services a hacking incident affecting 19,727 patients, according to the HHS Office for Civil Rights’ “wall of shame” website listing major breaches impacting 500 or more individuals.
That incident involved a recent ransomware attack that encrypted data on the practice’s electronic health record system, including its patient scheduling application, an Ashland Women’s Health spokeswoman says.
The practice was able to mitigate the attack and restore data by using backup systems, and did not pay a ransom, she says. Patient care was impacted for “a couple days,” as the practice was unable to access its EHR and scheduling software, and relied on paper charts while its systems were being restored, she says.
The incident was reported to local law enforcement and the FBI, and investigators told the practice the attack involved HakunaMatata, a variant of NMoreira ransomware, the spokeswoman says.
The practice is preparing to send out notification letters to affected patients, but has not determined whether it will offer free credit or identity monitoring she says. Impacted data included patient names, addresses and “other” protected health information, she says.
Other Recent Attacks
The attack on Ashland Women’s Health is one of at least a dozen hacking incidents – including at least three known ransomware attacks – reported to OCR in recent weeks.
As of April 11, the federal tally shows 26 hacking incidents reported to OCR so far in 2017. Nearly half of those hacking incidents were reported since March 2. That includes ransomware-related breaches reported by at least two other smaller healthcare providers, both based in Texas.
ABCD Pediatrics on March 26 reported to OCR a hacking incident affecting 55,447 individuals, which the San Antonio-based practice says involved Dharma Ransomware, a variant of an older ransomware virus called CriSiS.
Urology Austin, which operates eight offices in and around the Texas capital city, on March 22 reported to OCR a hacking incident affecting 279,663 individuals that also involved a ransomware attack. That incident is the second largest breach appearing on the wall of shame so far in 2017.
Like Ashland Women’s Health, both ABCD Pediatrics and Urology Austin have said they mitigated their ransomware attacks without paying extortionists a ransom to unlock their data.
The largest breach reported to OCR so far this year was by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp. That incident, affecting 697,800 individuals, involved a former Med Center Health employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, “without any work-related reason to do so,” the company said in a statement.
The OCR breach reporting website lists that incident as a “theft.”
An April 11 snapshot of the wall of shame shows a total of 83 breaches reported to OCR so far in 2017. Those breaches affected a total of nearly 1.74 million individuals. That includes 26 hacking incidents impacting a total of 813,254 individuals, or about half of the reported breach victims so far in 2017 .
Since federal regulators began keeping track of major HIPAA breaches in 2009, a total of 1,902 breaches impacting nearly 173 million individuals have been reported to OCR as of April 11.
Of those, 295 breaches are listed at hacking incidents impacting a total of nearly 129.4 million individuals. The largest of all breaches listed on the wall of shame is the cyberattack on Anthem Inc. which was reported to OCR in February 2015, and impacted nearly 79 million individuals.
Steps to Take
Rebecca Herold president of Simbus, a privacy and security cloud services firm, and CEO of The Privacy Professor, a consultancy, predicts ransomware attempts will continue to plague healthcare sector entities this year, even as some organizations, including Ashland Women’s Health, are getting better at successfully mitigating the incidents without paying extortionists.
“Ransomware is profitable to the cybercrooks, it is an easy crime to commit, and there is low chance of being caught if the crooks are careful,” she says. “As long as these factors exist, cybercrooks will continue; why would they stop pursing easy money?”
But Joe Meyer, technical director for risk management and governance in consulting firm NCC Group’s North America region, says ransomware attacks may potentially subside as entities get better preventing and defending against these extortion attempts.
“I do believe that the industry as a whole ‘should’ start to see a gradual decrease in malware/ransomware events for the simple fact that that we have had such an increase in awareness, training, and frankly, capital investments in the industry to help combat consistent threats, such as ransomware.”
Meyer notes, “with awareness and a desire to not become the next breach, organizations have begun to update their systems, to provide the necessary updates and backup accordingly. There has definitely been a shift toward cyber resiliency in the healthcare world, as opposed to the reactionary approach.”
Nonetheless, a key factor contributing to the healthcare entities falling victim is the human factor, Herold says. “Humans have always been, and will always be, the weakest link in the information security efforts. The key to success for ransomware crooks is exploiting the human, not technology, vulnerabilities.”
To avoid falling victim to ransomware, Herold advises entities to take several important steps. That include offering workforce members frequent ransomware training and reminder messages; practicing strong backup practices, including keeping backup data current and offline from the network; and keeping anti-malware software updated.
Ultimately, “if you get your employees engaged, they will become aware; when employees are aware they will be significantly less likely to fall for the social engineering tactics that result in successful ransomware attacks,” Herold says.
Meyer says that while he sees increased of awareness by healthcare sector organizations about ransomware risks, “we still unfortunately have not seen the expected uptick in covered entities and business associates conducting formal, third-party risk assessment to include the OCR technical requests. Being ‘a penny wise, and then a pound foolish’ is still resulting in many breaches that could have been prevented or lessened in severity.”
OCR declined to comment specifically on breach report trends the agency is seeing related to hacking incidents, including ransomware attacks. However, in a statement to Information Security Media Group, OCR says, “our website is current and contains relevant guidance, the resolution agreements, and corrective action plans concerning malware. In particular, several of our Cyber Awareness Newsletters address malware concerns.”
That includes a recent OCR cyber newsletter issued last October alerting organizations about the importance of safeguarding network-attached storage devices and other gear that supports or enables file transfer protocol services (see Federal Regulators Warn of FTP, NAS Risks).
OCR noted in that alert that research by computer security firm Sophos recently found that up to 70 percent of a vendor’s NAS devices connected to the internet were infected with a malware variant called Mal/Miner-C, also known as PhotoMiner. Sophos researchers alleged that out of 7,000 of these NAS devices manufactured by Seagate, 5,000 were infected with this malware by cybercriminals who also collected $86,000 in cryptocurrency.