HIPAA/HITECH , Standards, Regulations & Compliance
Hacker Attacks in Healthcare: What's Changed in 2016 So Far?
Hacks Are Still Common, But Fewer Patients AffectedMedical Colleagues of Texas, an 11-physician practice in Katy, Texas, is one of the latest healthcare organizations to fall victim to hackers.
See Also: Gartner Guide for Digital Forensics and Incident Response
The breach, which reportedly exposed information on 50,000 individuals, represents the continuation of a trend so far in 2016. While hacker incidents are still plaguing the healthcare sector, the attacks have generally targeted smaller organizations, and the breaches have affected far fewer individuals than the massive hack attacks reported in early 2015.
Mega-breaches tied to hacker incidents reported in the early months of 2015 included, among others, an attack on Anthem Inc., which impacted 78.8 million individuals, and Premera Blue Cross, which affected 11 million.
"In my opinion, the shift from 'mega' hacker attacks to ransomware and smaller breaches indicates a change in threat actors," says Dan Berger, CEO of security consulting firm Redspin. "It is becoming more evident that the mega hacks were the work of nation state-sponsored attacks and related to espionage. In comparison, ransomware or smaller attacks are more likely purely financially motivated. The attacker wants to make a quick transaction and a quick buck."
Sketchy Details on Latest Attack
Medical Colleagues of Texas, in a recently issued breach notification posted on its website, says the group practice noticed "unusual activity" on its computer network in March. "We discovered that hackers had gained access to our computer network," the notice states. "The investigation indicates that unauthorized individuals may have accessed patient medical records and employee personnel files stored on our network."
Information that may have been accessed includes patient names, addresses, Social Security numbers and health insurance information. Medical Colleagues of Texas contacted law enforcement, which is continuing an investigation, the statement says.
The physician group did not disclose in its statement any details about the nature of the attack. The practice is offering one year of free credit monitoring to individuals affected.
The Houston Chronicle is reporting that the incident affected 50,000 patients. An attorney representing Medical Colleagues of Texas did not immediately respond to Information Security Media Group's request for confirmation of breach details.
In the wake of the incident, the practice says it is taking steps to prevent this type of breach from happening again, including updating its computer network, strengthening its firewalls and implementing two-factor authentication measures for remote access. "We are also providing additional training and strengthening our policies and procedures in regards to the protection of sensitive personal information," according to its statement.
Tracking 2016 Hacker Attacks
If the U.S. Department of Health and Human Services's Office for Civil Rights confirms details of the Texas incident, it would become the second largest hacker-related health data breach added to its "wall of shame" tally listing breaches affecting 500 or more individuals. The largest is an incident at 21st Century Oncology, which affected 2.2 million individuals.
Commenting on the apparent shift to smaller organizations being targeted for hacker attacks this year, Mark Dill, principal consultant at consultancy tw-Security, and former long-time CISO at the Cleveland Clinic notes: "Larger organizations - those most likely to have access to 'mega' amounts of data - likely have the resources - people, technology, budget and third-party experts - to prevent hacking in the first place. Smaller organizations may struggle to adequately protect PHI because of inadequate resources. Given the success of advanced persistent threats - ultra-silent malware - it is also possible that major events have occurred but remained undetected."
Some 96 health data breaches - affecting a total of 3.7 million individuals - have been added to the federal tally so far this year. About a quarter of those breaches have involved hacking incidents, affecting a total of 2.4 million individuals - with the 21st Century Oncology hack accounting for most of the victims.
Since HHS began keeping track of major breaches in September 2009, there have been 181 hacking incidents listed on its tally, representing 11 percent of the 1,551 total breaches.
More to Come?
Missing so far from the "wall of shame" tally are high-profile breaches involving ransomware that have been publicly revealed in recent months. That includes ransomware attacks on Hollywood Presbyterian Medical Center and King's Daughters Health as well a a malware attack against MedStar Health that may have involved ransomware.
Victims of ransomware attacks may not be filing reports with HHS, says Berger, the consultant. "Covered entities and business associates are looking for greater clarity from OCR regarding the issue of whether a ransomware attack constitutes a data breach and should thus be reported as such under the breach notification regulations," he says. "Personally, I think ransomware attacks do meet the criteria of a breach if ePHI is included in the data encrypted by the attackers."
OCR will not say whether recent ransomware incidents eventually will be added to its breach tally. "OCR does not comment on current or potential investigations," an OCR spokeswoman tells ISMG. But incidents involving ransomware are generally considered a breach under the HIPAA Breach Notification Rule, she points out.
"Whether or not the presence of ransomware would be a breach under the HIPAA rules is a fact-specific determination," she says. "A breach under the HIPAA rules is, generally, the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI. With respect to ePHI encrypted as the result of a ransomware attack, a breach is presumed because the ePHI encrypted by the ransomware was acquired - i.e., unauthorized individuals have taken possession or control of the information."
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says that all organizations that have been attacked, including victims of ransomware attacks, must carefully investigate and review the extent to which an attacker may have accessed PHI through information systems.
"The HIPAA definition of what is a disclosure and the application of the 'provision of access' should bring pause to anyone who categorically rules out the possibility that a ransomware incident is not a reportable breach," he says. "A careful, documented breach assessment using the framework found in the definition of the final Breach Notification Rule is the best place to start on understanding if a ransomware incident is a reportable breach. "
In assessing whether a ransomware incident is reportable to HHS, Dill suggests that impacted covered entities and business associates "examine the audit logs to determine if PHI was viewed or exported before it was encrypted by the ransomware."