Category: HIPAA Compliance Hosting

Ransomware Targets Healthcare
The Healthcare Ransomware Epidemic: How to Protect Your Patients
The Problem is Becoming a Crisis

Data breaches are happening at an alarming rate. In fact, the threat of ransomware attacks has become elevated to crisis levels. While there’s increased awareness, attacks are becoming more sophisticated. A variety of large and small organizations are being attacked. No one is immune. The healthcare industry has been and continues to be, prime targets. And for good reason. Healthcare organizations are considered low-hanging fruit by cybercriminals. Hackers know healthcare centers are notorious for having inefficient security. Most hospitals don’t have procedures in place to restore a network once locked by ransomware. Most applications in Hospitals have little or no network segmentation. There are no firewalls between workloads. Basic security protocols are not in place.

Besides the alarming ransomware statistics, there are some attacks that never get reported. The U.S. Department of Health and Human Services experienced 52 data breaches in October. Last year, hackers stole over 38 million medical records. These sobering statistics have made the healthcare industry take notice. Many healthcare organizations are taking steps to increase cybersecurity. But more can be done. This article will take a look at some of the more recent ransomware cases. We’ll look at some mistakes that were made in dealing with cyberattacks. And we’ll offer ways to improve cybersecurity and protect patient data moving forward.

The consequences of a data breach reach far beyond the breaking news story. There’s more to it than the short news article that appears on your computer screen. A single attack can close down an organization for good. It can happen in a few minutes. The consequences can have long-lasting implications. This is particularly true for the healthcare industry. Sure, the reputation of the healthcare center gets flushed down the toilet, but there’s a real impact on the patients. These incidences are not merely expensive inconveniences. Cyberattacks disrupt the entire eco-system of the institution. It puts people’s health, safety, and lives at risk.

 

Healthcare Worker Distressed by Ransomware Locking up IT systems
Security breaches will cost healthcare organizations $6,000,000,000 this year.

 

Often, the healthcare center gets victimized twice. First, there is a ransomware attack. Second, the healthcare system becomes the target of a class-action lawsuit from a community of angry patients and their families.

Consider the New Scientist article about the 2016 attack on the Hollywood Presbyterian Medical Center. It was a Friday afternoon when malware infected the institution’s computers. The attack seized patient data and prevented the staff from further communication. The date was February 5. The same day computer hackers tried to steal 1 billion from the Federal Reserve Bank of New York. It all happened in a matter of seconds. Medical records had to be kept by using pen and paper. They used old fax machines. Patients were sent to other hospitals, operations canceled. The medical center was back on-line after a 2-week standoff. But not until after paying a ransom of 50 bitcoins (the equivalent of $17,000 at the time).

Malware can infect the entire computer system. Someone clicks on a link to a booby-trapped website or opens an attachment in a phishing email. Immediately, malicious malware gets to work encrypting the files. Some malware can immobilize entire IT infrastructures. If data is backed up and you get an attack of malware or something, you can always go back to yesterday’s data.
Healthcare targets often have their backs against the wall during a cyberattack. Because they don’t have their files backed up.

In most cases, a ransom is paid. The hackers deliver the decryption key. And medical centers are able to decrypt the seized files. The Hollywood Presbyterian Medical Center was straight forward. They handled the crisis as best they could. See the above comments about using pen and paper. They negotiated a lower ransom and their data was returned. More recent victims haven’t been so lucky.

Medical malpractice has been part of the healthcare landscape since the 1960s. Now there is an additional risk of medical malpractice during ransomware attacks. If the ransomware attack affects the patient in any way, there will be repercussions.

Doctor Using Tablet
While only a few healthcare systems have policies around using mobile devices, there is a growing movement to regulate such devices.

Take the cyberattack on LifeBridge Health systems. Seven months after the incident, the Baltimore-based health system faced another problem. A class-action lawsuit was filed against them. The lawsuit claimed negligence on the part of the medical center. It also accused LifeBridge of waiting 2 months before informing the affected patients.

LifeBridge had to respond to the allegations. The organization contracted a national computer forensic team to investigate the attack. Patients were offered credit monitoring and identity protection services.

Clearly there are basic mistakes made that contribute to breaches. Mistakes can allow the infiltration to happen in the first place. Resolving a ransomware situation is stressful. People can do things that t make the situation worse.

Ransomware Recovery Mistakes

Health Management Concepts in Florida was attacked with ransomware. The official report was made on August 23. HMC learned about the incident on July 16. The ransom was paid. The attackers delivered the decryption keys. The hospital IT administration immediately took steps to decrypt the data. To their horror, the HMC staff realized they made the problem worse. They accidentally sent files containing patient information to the hackers.

UnityPoint Healthcare had the misfortune of suffering two security breaches in 2018. The second attack compromised the data of 1.4 million patients. At least, that’s the official tally. A series of phishing emails had been made to look like they were from a top executive within the company. An employee fell for the scam. It gave hackers the opportunity needed to penetrate the entire system.

The protection of healthcare assets is not just a matter of protecting patient information but protecting the patients themselves.
Recognizing the Risk is the First Step Toward Protecting Patient Information

The onslaught of cyberattacks against healthcare is relentless. There are inspiring stories of medical centers fighting back. They’re defending themselves against nefarious cyberattacks. They’re saving lots of money. Increasing their efficiency. And better protecting their patients.

One such story belongs to the Interfaith Medical Center of Brooklyn, New York. It’s a 287-bed non-profit teaching hospital that treats more than 250,000 patients every year. They were able to avoid malware outbreaks. Their proactive approach enabled them to detect and respond immediately to advancing threats. Their strategy involved an assessment of threats and implementation of policies and procedures.

Incident response time is critical. Measure it with a stopwatch, not a calendar. All the segmentation in the world isn’t any good if the door won’t be closed in time. Their program was successful. It identified malware infections long before they had a chance to become a problem. They were even able to identify a malware-infected medical device after it came back from a repair vendor.

The Interfaith Medical Center anticipated a ransomware attack and took steps to prepare for it. In a September 3, 2019, Healthcare IT News article, we learn how Christopher Frenz – the VP of Information Security protected the non-profit’s IT system. “One of the ways I approached this was simulating a mass malware outbreak within the hospital, using a custom-developed script and the EICAR test string. Running the script attempted to copy and execute the EICAR test string on each PC within the organization to simulate the lateral movement of a threat within the hospital. Exercises like these are great because they help an organization identify what security controls are effective, which controls are ineffective or in need of improvement, how well or not the staff response to an incident will be, and if there are any deficiencies in the organization’s incident response plan,” he explained.

Christopher Frenz, Interfaith Medical Center's VP of Information Security
Christopher Frenz, VP or Information Security at Interfaith Medical Center, led the charge with his zero trust architecture that protected the network from cyberattacks and saved the healthcare system millions of dollars.
“We have successfully avoided malware outbreaks and are actively detecting and responding to advanced threats, long before they impact privacy or operations.”

Christopher Frenz, Interfaith Medical Center

 

The article ends with some excellent advice from Frenz. “Healthcare needs to begin to focus on more than just compliance alone, as it is far too easy to achieve a state where an organization meets compliance requirements but is still woefully insecure. Organizations need to put their security to the test. Pick solutions that can empirically be shown to improve their security posture.”

 

There are basic steps healthcare organizations can take to minimize their risk of ransomware attacks. Learn as much as you can about ransomware attacks. Consider all possible points of entry. Where is your IT system vulnerable? Medical software used for patient data has numerous vulnerabilities. Healthcare cybersecurity statistics by Kaspersky Security Bulletin found easy access to 1500 devices used by healthcare professionals to process patient images such as X-rays.

 

Improving the cybersecurity of a healthcare organization, whether large or small, has two parts. One part has to do with the design and implementation of the IT system entire (i.e. whether-or-not there’s back-up and disaster recovery features in place). The other part has to do with your human capital.

 

Malware can be introduced from any number of locations along with your network. Often the attack is designed with multiple points of entry. It could be phishing emails where an employee is tricked into clicking on something that is booby-trapped. It could be a bogus email from what looks like an upper-level executive but is actually from a hacker.

 

ON-GOING EDUCATION AND REFRESHER COURSES
Healthcare Employees Being Educated on Cyber Security Procedures
Healthcare employees should have regular and comprehensive cyber threat education. This enables them to avoid falling into traps that can trigger ransomware. It also serves to establish a strong security culture.

Human beings make mistakes. This is especially true in the busy high-stress environments of hospitals. Or in situations where doctors, nurses, and orderlies work extended 10 to 12-hour shifts. People have to be educated about the risks of cyberattacks and what forms such attacks might take. It’s easy for a rushed employee, at the tail-end of their shift, to unknowingly click a file, download an unauthorized software, or be tricked into loading a contaminated thumb drive. There are basic security processes that should be implemented. These are things like creating strong passwords and changing them at regular intervals. Duel factor protection is also a good idea.

Cybercrooks study the vulnerability of humans. Hackers continually figure out ways to exploit human traits and their gullibility. Through social engineering tactics, cyber attackers design pathways to plant ransomware or get a foothold in an information system.

 

SECURITY IS NOT ABOUT QUICK FIXES

Take the time to ensure the staff and vendors are mindful of what they’re doing. Review policies and procedures regarding handling patient data. Review how to avoid security incidences. As we have seen, any data breach has legal ramifications. There needs to be a systematic response that is carefully considered and forged into a process. Additionally, partner with the right vendor who can design and provide a holistic security solution that will protect your patients.

HIPAA IT Compliance: A Quick Guide

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law from 1996 that requires most healthcare organizations to ensure the privacy and security of most of their patients’ information.

The three different types of healthcare organizations that HIPAA applies to are: healthcare providers (including hospitals and physicians offices), health  plans (including health insurance companies), and health care clearinghouses (including billing services).

It also applies to any person or organization that these three types of healthcare organizations share their patients’ data with—so-called “Business Associates”—including IT hosting companies like IronOrbit.

The law requires these organizations to ensure the privacy and security of any “individually identifiable health information,” which the Department of Health and Human Services (HHS) defines as “information that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

HIPAA requires healthcare organizations to protect this data by doing the following:

  • Implementing “reasonable and appropriate administrative, technical, and physical safeguards to prevent the intentional or unintentional use of disclosure” of this data
  • Implementing “technical policies and procedures that allow only authorized persons to access electronic” individually identifiable health information
  • Implementing measures to prevent unauthorized physical access to any IT hardware that contains or handles any individually identifiable health information
  • Keeping this data from being “improperly altered or destroyed”
  • Protecting this data from being inappropriately accessed when it’s being transferred via a network
  • Setting up an auditing system that logs activity on systems that contain this data

In addition to ensuring the privacy and security of patients’ information, HIPAA also requires healthcare organizations to do the following:

  • Perform risk analyses on a regular basis in which they consider all potential risks to patient data and implement or change their security policies, procedures, and measures to protect their data from these risks
  • Designate a privacy and security official that’s formally in charge of “developing and implementing” the organizations’ privacy and security policies and procedures
  • Develop, implement, and maintain privacy and security policies and procedures, and maintain records of these privacy and security policies and procedures for at least six years “after the later of the date of their creation or last effective date”
  • Train their employees to follow these privacy and security policies and procedures
  • Sign “Business Associate Contracts” with anyone outside of their own organization they allow to access their patients’ information
  • Notify affected patients, the HHS, and “prominent” media outlets within 60 days whenever a security breach occurs

Penalties for noncompliance with HIPAA can reach up to $1.5 million per calendar year per violated HIPAA requirement.

Organizations will not be punished if their violations that are not the result of “willful neglect” and they correct them within 30 days of becoming aware of them.

Employees of healthcare organizations may face criminal charges, and up to 10 years’ imprisonment and fines of up to $250,000, if they knowingly make patients’ information available to people that aren’t authorized to access them.

HIPAA Compliance Hosting: Features and Benefits

Compliance hosting is when an IT hosting company customizes a hosted solution so that it complies with a certain regulation, such as PCI DSS or SOX.

HIPAA compliance hosting, of course, is a hosted solution that has been customized to comply with the IT requirements of the Health Insurance Portability and Accountability Act.

Hosted solutions that can be made HIPAA compliant include hosted virtual desktops, hosted virtual and dedicated servers, hosted Terminal Services/Remote Desktop Services servers, and standalone hosted applications such as hosted EMR/EHR software and hosted SharePoint.

HIPAA, if you’re not familiar with it, is a federal law that requires most healthcare organizations (including healthcare providers such as hospitals and physicians’ offices, health insurance companies, and health care clearinghouses) to ensure the privacy and security of patients’ information.

Organizations can be penalized up to $1.5 million per year for every HIPAA requirement that they violate. The Department of Health and Human Services (HHS) also publicizes violations and the resulting penalties on its website.

HIPAA Security and Data Loss Prevention Measures

A HIPAA-compliant hosted solution usually includes some or all of the following security and data loss prevention measures:

  • An authentication system that requires each person with access to the solution to select a unique username and password, and to have to log in in order to access the solution
  • Two-factor authentication (which requires users to log in with both a password and a temporary code that’s texted to their phone number after they’ve entered the correct password)
  • Automatically-enforced password strength requirements (including minimum length and the required use of symbols, numbers, and upper and lowercase letters), and requiring users to change their passwords after a certain number of days (usually 90)
  • Network and system security measures such as firewalls, intrusion detection, and prevention systems (IDS/IPS), network segmentation, spam filtering, content filtering, in-transit, and at-rest encryption, patch management, and antivirus software
  • Physical security measures at the hosting company’s data centers such as unlisted and nondescript buildings, locked metal doors, biometric access panels (finger and palm print readers and eye scanners), security guards, alarms, closed-circuit video surveillance cameras, server cages, and mandatory check-ins, IDs, and escorts for all visitors
  • Around-the-clock monitoring of the hosted solution’s security by the hosting provider’s personnel, who’ll immediately respond to any security issues that they find
  • A data backup system that automatically backs up all of the solution’s data on a regular basis
  • Logging of all user login attempts and other significant actions

In addition to making your hosted solution compliant with HIPAA, other benefits of HIPAA compliance hosting include:

Less IT management hassles

With HIPAA compliance hosting, most hosting companies will set up, manage, and maintain the hosted solution for you. They’ll purchase and set up the hosting hardware and software, deploy the solution, and implement and maintain all of the necessary security and data loss prevention measures. That includes authentication systems, network and system security measures, around-the-clock monitoring, and automated data backups.

Lower costs

It’s often more affordable for healthcare organizations to sign up for HIPAA compliance hosting than it is for them to deploy the solution in-house in a compliant way.

This is mainly because with HIPAA compliance hosting you’re sharing the hosting company’s security and data loss prevention measures.

These checks include enterprise-level authentication systems, data backup systems, 24x7x365 system, and network monitoring and alarm response, etc. with the hosting company’s other customers.

So, you only have to pay a small percentage of the total costs of these measures—while if you implemented a HIPAA-compliant solution in-house you’d be responsible for 100 percent of the costs.

Increased security

The security measures included with a HIPAA-compliant hosted solution not only make the solution compliant with HIPAA, they also protect your organization from costly and disruptive security breaches.

Increased accessibility

Hosted solutions such as hosted desktops and hosted applications can be accessed from anywhere from any Internet-connected computer, tablet, or smartphone.

Among other things, this allows healthcare workers to access their applications and files outside of the workplace. This means allowing doctors to complete some of their work from the comfort of home, for example. Or to access patients’ records and give a diagnosis or treatment advice if the doctors are unable to make it to the hospital or office.

This allows doctors to access their applications and files from a tablet that they carry with them rather than having to log in to a new PC in each different examination room. It also enables healthcare organizations to outsource some of their work to remote employees to improve quality or reduce costs.

For example, outsourcing the analysis of medical imaging tests to a doctor in another area because there aren’t any qualified specialists in the area or because the ones that are in the area are too expensive.

Increased scalability

 

Hosted solutions are scalable, which means that you can add (or subtract) any amount of users and resources such as vCPUs, RAM, and storage space to them (or from them) quickly and easily.

This makes it quicker and easier for healthcare organizations to supply new hires with IT resources they need to do their do their jobs.

It also makes it easier for healthcare organizations to add IT resources as they expand. As well as to reduce them when downsizing without getting stuck with a bunch of unused, expensive hardware.

To sign up for HIPAA compliance hosting, simply contact an IT hosting company that offers it and that’s capable of meeting all of your IT requirements and preferences.