Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)
Eye Clinic Sees Quick Recovery from Ransomware AttackDespite Fast Rebound, Entity Still Reporting Data Breach
An Iowa eye clinic and its affiliated surgery center recently recovered from a ransomware attack on their common systems within one day and without paying a ransom. This case offers important reminders to other healthcare entities and their vendors.
Experts say that well thought-out and carefully implemented advance planning was likely helpful in the quick recovery.
"See? It can be done," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"With pre-planning, up-to-date backups, trained response and recovery teams, and documented policies and procedures, responding to ransomware attacks can be handled efficiently, consistently and with minimal disruption to services," she says.
Jones Eye Center and CJ Elmwood Partners, L.P., the affiliated surgery center of Jones Eye, say in a recent statement that on August 23 they discovered a ransomware incident involving a common computer network used for patient billing and scheduling.
The good news? "That same day, we restored our system using backup information and ended the attack without paying the ransom amount," the clinic says. In addition, while the attack impacted the entities' common patient billing and scheduling system, the incident did not affect their electronic medical records software.
The bad news? Despite the quick recovery, the entities say "there is the possibility that the attackers could have gained unauthorized access to protected health information of patients of both Jones Eye Clinic and the Surgery Center."
As a result, the clinic and surgery center in their statement say they are notifying about 40,000 individuals' whose information was potentially impacted in the breach.
The Department of Health and Human Services' Office for Civil Rights in 2016 issued guidance stating that in most cases, ransomware attacks are reportable as breaches under HIPAA.
"OCR expects healthcare organizations to perform a risk analysis to determine that a low probability exists of the ransomware causing unauthorized access to protected health information," says Keith Fricke, principle consultant at tw-Security. "Most ransomware only encrypts data; however, the risk analysis of PHI exposure should still occur. Some ransomware has the ability to exfiltrate data or grant unauthorized remote access into the infected system."
As of Nov. 2, the incident was not yet posted on the OCR's HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the HHS website lists major health data breaches impacting 500 or more individuals.
The organizations' statement notes that affected individuals include patients of Jones Eye Clinic and patients of the surgery center who were registered or had services at either entity between Jan. 1, 2003 and August 23, 2018.
Information contained in the impacted billing and scheduling software included patients' full name, address, date of birth, date of service, medical record number, and a general description of the clinic visit or surgery. For some individuals, information may have included Social Security number, insurance status, and claims information. The information did not include other financial data such as bank account or credit card information, the statement says.
"After discovering this incident, we engaged multiple information technology companies to assist with restoring our systems and deploying new technology to prevent future intrusions," the clinic and surgery center say. "Although we have found no evidence that patients' information was actually viewed or misused, we encourage affected individuals to take the precautionary measures ... to help protect against identity theft or fraud."
Affected individuals are being offered free credit monitoring services for one year.
Not as Lucky
While Jones Eye Clinic and its surgery center appear to have resolved the ransomware attack on its systems with minimal disruption to patient care and without resorting to paying extortionists to unlock data, other healthcare entities hit with ransomware - including some this year - were not as fortunate.
For instance, in May, Rochester, Minnesota-based Associates in Psychiatry & Psychology revealed that following a ransomware assault in which attackers encrypted all the data files on the mental health practice's main servers, the entity decided to pay an undisclosed ransom.
The practice said it made the decision to pay after determining it would take longer and potentially be more difficult to attempt to restore its systems without obtaining a decryption key from the hackers.
In general, law enforcement officials advise against paying ransomware attackers because there are no guarantees extortionists will fulfill their promises of unlocking data, plus rewarding hackers encourages more attacks.
However, whether organizations heed the advice to not pay extortionists, not all healthcare entities or their vendors suffering ransomware attacks have recoveries that go as smoothly or as quickly as Jones Eye Clinic apparently experienced.
For instance, a ransomware attack earlier this year impacting the electronic health records and other systems of Cass Regional Medical Center forced the Missouri county hospital to divert ambulances carrying trauma and stroke patients to other facilities as the critical access hospital struggled to recover.
Many other healthcare entities have also suffered ransomware attacks severely impacting patient care delivery. For instance, in 2016, MedStar Health, a 10-hospital system serving Maryland and the Washington area, was forced to shut down for several days many of its systems to avoid the spread of malware. The attack forced the healthcare organization to temporarily resort to paper records, disrupting some patient appointments.
Steps to Take
"It is ideal for organizations to test their plans outside of an emergency so they are better prepared to respond."
—Michael Aldridge, tw-Security
So what steps can other healthcare entities and their vendors take to increase their chances of a quicker and smoother recovery from a ransomware attack?
"Keeping offline backups and testing those backups is key," says Ron Pelletier, founder of security consulting firm Pondurance.
"If you are only testing the recovery of smaller datasets, I would submit that you are not prepared for the full recovery of an in-house EMR, or an enterprise Exchange database, or other large datasets," he says.
The reality is that any organization can "recover" the functionality of their production systems relatively quickly with a basic disaster recovery plan, but consideration of the data is vital in order maintain a relevant recovery point objective, he contends.
"Ask the question: If you're able to recover quickly, but you lose three to five days of production data, is that acceptable for you as an organization? That should create the impetus to test the appropriate recovery process in terms of time and minimal loss."
A fast recovery hinges on the ability to first detect the problem and then a plan for how to respond and recover, says Michael Aldridge, senior security consultant at tw-Security. "Covered entities and business associates would be well served to have a robust data backup in place as well a documented incident response plan," he says. "Lastly, it is ideal for organizations to test their plans outside of an emergency so they are better prepared to respond."
Safeguarding the EMR
The attack on Jones Eye Clinic impacted patient billing and scheduling software, but not its EMR, which could've been a lot more disruptive - and potentially dangerous to patient care if encrypted by extortionists, some experts note.
Although Jones Eye Clinic did not immediately respond to an Information Security Media Group inquiry about whether it uses an in-house or cloud-based EMR, some experts note that in some cases, working with a trustworthy cloud-based EMR vendor potentially can be less risky, especially for smaller healthcare entities.
"While the cloud on its own merits doesn't guarantee that you will not be impacted by ransomware, the likelihood is reduced if you're working with a reputable EMR provider in a software-as-a-service model," Pelletier says.
But there are also other options to protect an electronic health records from ransomware attacks, he adds. "A less common mitigation strategy is the proper segmentation of critical systems in the environment. Bad actors that leverage SamSam, for instance, need a foothold in the environment, and they count on the ability to escalate their privileges to a universal administrative level to maximize the speed and effectiveness of their attack," he says.
"Proper segmentation can create a virtual break in terms of volume of affect."
Herold offers a similar suggestion. "It is becoming increasingly common for covered entities - and would be nice for the business associates to do this also - to build internal firewalls around EHR/EMR systems and associated data.," she says.
"This is important to keep those ransomware attack pathways from impacting these sensitive and patient health impacting systems and data."
Scanning the network for systems with vulnerabilities and keeping up on security patches in a timely manner should be part of routine operations, Fricke suggests.
"In addition, IT workers should have procedures in place to rapidly respond to ransomware incidents. Time is of the essence to contain a ransomware attack, including training the workforce on what actions to take if their workstation exhibits signs of ransomware infection."