HIPAA Breaches 2017: the Year Ransomware became Epidemic

Such outcomes tend to begin with “situational awareness.” At Urology Austin, Site Manager and IT Director Layton Smith noticed the system being monitored – surveilled - for weaknesses.  He immediately contacted their managed services IT company, GCS Technologies, a managed services company handling security for 450 companies in Central Texas.  Smith says, “GCS’s team got them – the perpetrators – locked out of the system, and immediately began remediating the issue.” 

GCS found Urology Austin services going offline because of encryption, and their monitoring software began raising the red flags. GCS employs a multi-tiered approach to security, with no less than six or eight products employed at all time to monitor traffic and data usage. 

 “What took it from existential to only catastrophic,” says GCS Technologies President Joe Gleinser “was an image-based backup solution.”  Image-based backup is a process for a computer or virtual machine to create a comprehensive copy of its operating system and all the data associated with it, including the system state and application configurations.  It’s all saved as a single file that is called an image.

This is far more extensive – and utilizes more resources – than typical file backups, where each file (which could include the poisonous malware) is incrementally uploaded to the reserve copy.   Urology Austin does a weekly image and relies on daily incremental backups, so they’re never than six days away from a stable reset point. 

“At the end of the day, we were able to recover fully and the practice was seeing patients more quickly,” says the GCS president.  

 Closer to home, a similar story unfolded when an employee of ABCD Pediatrics discovered that a virus gained access and began encrypting ABCD’s servers. The encryption process was slowed significantly by recently updated antivirus software.

Upon discovery, ABCD immediately contacted its IT Company, and servers and computers were promptly moved offline and analyzed. ABCD’s IT Company identified the virus as “Dharma Ransomware,” a variant of an older ransomware virus called “CriSiS.”

These virus strains typically do not exfiltrate (“remove”) data from the server; however, it could not be ruled out. Also, during the analysis of ABCD’s servers and computers, suspicious user accounts were discovered suggesting that hackers may have accessed portions of ABCD’s network.

ABCD’s IT Company successfully removed the virus and all corrupt data from its servers. Secure backup data stored separately from ABCD’s servers and computers (“off-site backups”) were uncompromised by this incident. As a result, no confidential information was lost or destroyed, including protected health information.  

Nor did the attack mature to the point of ABCD receiving ransom demands or other communications from unknown persons.  Concerned that interlopers may have been on the server for a limited period, ABCD Pediatrics advised more than 55-thousand patients of the incident, per HIPAA regulations.  Urology Austin sent 279-thousand letters advisory level (see sidebar, “The Law.”).  Between the costs for advisories and client credit protection where, it’s critical to have cyber incident insurance, both companies advised.

And the breach is only the opening refrain of what can be a long sad song: “A breach notification acts as an involuntary invitation to the Office for Civil Rights into your operations to examine your efforts to maintain the privacy and security of the protected health information in your possession.” says Clifford Robertson, JD.  Speaking recently to the Bexar County Medical Society, he detailed the process by which any breach is likely to open the practice to a complete HIPAA compliance audit.  He reviewed a number of corrective action plans mandated by the Office for Civil Rights, whose post-breach review will begin by examining the practice’s most recent risk assessment, IT logs and personnel policy and procedure guide training records.  “One unencrypted laptop left unattended in a car,” said Robertson, “has brought down whole enterprises.”

Tips to Staying Safe in Your Own Data

Crucial to successful responses in both cases was a close relationship with their IT managed services provider.  Making sure your practice’s MSP is aware of and responsible for all of HIPAA’s Security Rule mandates, particularly regarding anti-malware updates, software patches and monitoring IT assurance should be part of its business associate agreement. 

GCS’s Joe Gleinser says he is asked for the best advice to those new to the business: “First, recognize the magnitude of the risk and build a multi-layered shield. Unfortunately, I don’t see ransomware taken seriously at the Executive Level, but perhaps that might change as more stories get told.”

Staff training of new security threats and email policies is vital to an enhanced immune system.  Says Gleinser, “We’ve responded to more than eighty-five ransomware attacks since January 2016.  Almost every case has been caused by a phishing attack through email.”

 Unfortunately, despite strong immune systems, viruses still find a path to infect otherwise healthy systems.  An incident response plan is needed to deal with a chaotic and calamitous situation.  Adrian P. Senyszyn, JD, who serves as attorney for ABCD Pediatrics, and is an expert on cyber incidents, speaks to the need to preserve evidence.  “You need to help prove the low probability of compromise to protected health information.”

First, he advises, disconnect: have your IT company disconnect your network from the Internet, the more quickly, the better.

         Investigate and document the incident immediately.  Make sure IT staff accurately document their findings in an incident report that should be signed and dated. Screenshots or photographs taken by cell phones will help document evidence.  Treat everything as though it was a crime scene … it is. 

If possible, have the MSP maintain the infected IT system in a digital sandbox, neither shutting it off nor wiping it clean.  By wiping the malware from your system, you are likely destroying the evidence that proves the ransomware did not exfiltrate data to cyber criminals

         Determine the scope of the incident by identifying and documenting which networks, systems, or applications were affected; the name of the virus or malware; and the origin of the incident or vulnerability that caused it. Staff should document information related to the attack in separate incident reports that are signed and dated.

You also should consider whether a forensic investigation of your computers and servers would be appropriate.

         Besides your IT manager, there are two other names at the top of your disaster-recovery call sheet: contact your medical professional liability carrier – and make sure your cyber liability insurance covers the costs of ransomware removal, forensic investigation, breach notification, OCR investigation, and fines and penalties.  

 And if you don’t already have one, retain a lawyer who has handled HIPAA incidents.  If an attack was successful, is there someone at your company that knows how to acquire bitcoins to pay the ransom? An attorney would – as well as determining the risk of not paying the ransom at all.  Recent trends show less-honor among thieves: first payments can simply be the ante to an ongoing game you’re bound to lose. 

When two nearby healthcare practices appear on the HIPAA breach site for ransomware attacks within days, it is time to review this digital epidemic.  We are  grateful that both practices,  ABCD Pediatrics and Urology Austin, were forthcoming about their experiences, how they withstood the onslaught.  We believe there is no substitute for learning from real experiences. 

​Ever since Hollywood Hospital made headlines last year by paying blackmail to regain access to its encrypted patient files, paying the perpetrator has become a common response.  Here are two examples of enhanced resistance; medical education relies on case studies of successful outcomes. 

Cyber Risk Associates