In 2018, healthcare organizations were one of the top industries for ransomware attacks. In 2019, Verizon reported ransomware accounted for 70 percent of all malware attacks in healthcare. Now given the rise of opportunistic social engineering, ransomware in healthcare may increase sharply.
What is ransomware?
Ransomware is a type of malware threat actors use to extort money from organizations including healthcare providers by encrypting a provider’s own information and freezing access to the data. The attackers then demand payment in exchange for the decryption key. Spear-phishing is a popular tactic used by ransomware attackers as they are highly targeted. In some cases, these attacks target specific hospitals and employees within the organization. Spear-phishing attackers pose as a trusted entity and send malicious emails to unsuspecting employees. The World Health Organization (WHO) recently warned of corona-virus themed phishing attacks that impersonate the WHO in order to steal money. Individuals are lured into giving away usernames and passwords, clicking on malicious email links or downloading malware infected documents hoping to gain information related to coronavirus safety measures.
HIPAA compliance and business continuity requirements make providers easy targets
Attackers recognize that healthcare providers are attractive targets as they must protect patient information from being disclosed or face large regulatory penalties such as HIPAA fines which range from $10,000 to $25,000 per violation and can reach as high as $1 million per year if it’s determined that patient health information was wrongfully disclosed. Providers also face the potential of patient lawsuits and jail time. Healthcare providers are also an attractive target because they can’t afford to have critical IT systems brought down and cause disruption to their services. In some cases, lives would be at risk due to system failures. Though the FBI advises against providers paying ransoms, some providers have reluctantly done so. As Hackensack Meridian Health CEO, Robert Garret noted to his peers, “Don’t immediately dismiss the option of paying ransom. You may not have the luxury of time to consider rebuilding your network.”
HIPAA provides ransomware guidance
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) encourages healthcare providers to use HIPAA for guidance to prevent and respond to ransomware attacks. HIPAA provides several recommendations including healthcare providers implement security management to identify and remediate vulnerabilities, deploy software to prevent malware, conduct regular backups and user training, and restrict access to electronic protected health information (ePHI).
One area of HIPAA guidance that has caused confusion relates to the breach notification of a ransomware attack. Some healthcare organizations argue that ransomware doesn’t equate to a breach since the goal of ransomware is to encrypt data, not expose it, and therefore, breach notification should not be required. OCR guidance states that if an entity is infected with ransomware, the incident is presumed to be a breach, unless the provider can show that there was a “low probability that PHI had been compromised.” If low probability is not established, then the provider must comply with the breach notification rules. Organizations that do not comply with HIPAA breach notification policies can face stiff penalties. This was the case with Sentara Hospitals that agreed to pay $2.175 million to settle potential violations of the HIPAA Breach Notification and Privacy Rules after it was discovered that Sentara did not properly disclose of a breach when the PHI of 577 patients was accidentally mailed to the wrong individuals.
OCR recommends active monitoring
The OCR notes that in the event ransomware enters an organization, “effective system and monitoring and review will be critical to detecting and containing” the ransomware attack. Various security information and event management (SIEM) and user entity and behavior analytics (UEBA) solutions such as Exabeam provides proactive monitoring of ransomware. For example, Exabeam Security Management Platform can detect unusual increases in CPU and disk activity as well as suspicious network communications between the ransomware and the attacker’s command and control servers. As ransomware’s kill chain takes six stages, early detection and mitigation is possible.
Exabeam also helps healthcare providers complete incident response steps related to ransomware attacks as outlined in the OCR Ransomware and HIPAA Factsheet:
- Determine the scope of the incident to identify what networks, systems, or applications are affected
- Determine the origination of the incident (who/what/where/when)
- Determine whether the incident is finished, is going or has propagated additional incidents through the environment; and
- Determine how the incident occurred (e.g. tools and attack methods used, vulnerabilities exploited)
While many experts predict ransomware attacks against healthcare organizations will increase in 2020, with intelligent, proactive solutions such as Exabeam, healthcare organizations are better positioned to address these attacks.