Ransomware attacks are driving some small practices out of business. Michigan-based Brookside ENT and Hearing Center, a two-physician practice, closed its doors in 2019 after a ransomware attack. The criminals locked their computer system and files and then demanded a $6500 ransom to restore access. The practice took the advice of law enforcement and refused to pay. The attackers wiped the computer systems clean — destroying all patient records, appointment schedules, and financial information. Rather than rebuild the entire practice, the two doctors took early retirement.
Wood Ranch Medical, in Simi, California, a small primary care practice, decided to shut its doors in 2019 after a ransomware attack damaged their servers and backup files, which affected more than 5000 patient records. The criminals demanded a ransom to restore the technology and records, but the owners refused to pay. They couldn't rebuild the system without the backup files, so they shuttered their business.
Several large practices have also been attacked by ransomware, including Imperial Health in Louisiana in 2019, that may have compromised more than 110,000 records. The practice didn't pay the ransom and had access to their backup files and the resources to rebuild their computer systems and stay in business.
Medical practices of all sizes have experienced ransomware attacks. More than 551 healthcare ransomware attacks were reported to the federal US Department of Health and Human Services' (HHS') Office of Civil Rights in 2021 (as of November 30), and over 40 million individuals faced exposure of their protected health information.
All it takes is one employee clicking on a link or embedded file in an email to launch malware. A vicious code locks the electronic health record (EHR) system, and your practice grinds to a halt.
Cyber criminals demand a ransom in bitcoin to unlock the files. They may even threaten to post private patient data publicly or sell it on the dark web to get you to pay up.
But, is paying a ransom necessary or wise? What other steps should you take? Here's what cyber security experts say criminals look for in targets, how they infiltrate and attack, and how you should respond and prevent future attacks.
How Does It Happen?
Email is a popular way for criminals to hack into a system. Criminals often research company websites and impersonate a company executive and send a legitimate-looking "phishing" email to employees hoping that someone will click on it and launch a malware attack.
Drex DeFord
Recently, cyber criminals found an easier way to infiltrate that doesn't require identifying targets to gain access, says Drex DeFord, executive healthcare strategist at CrowdStrike, a cybersecurity technology company in Sunnyvale, California.
"Instead of hacking into the system, cyber criminals are just logging in. Most likely, they have acquired a user's credentials (username/password) from another source — possibly purchasing it from the dark web, the part of the Internet that criminals use, through an 'access broker,' an organization that specializes in collecting and selling these kinds of credentials," says DeFord.
After a ransomware attack last August on Eskenazi Health in Indianapolis, forensic investigators discovered that the criminals had logged into the IT system in May and had disabled security protections that could have detected their presence before they launched their cyberattack, according to a statement.
Responding to a Ransomware Attack
When employees or the IT department suspect a ransomware attack is underway, cyber experts recommend isolating the "infected" part of the network, shutting down the computer system to prevent further damage, and securing backups.
Soon afterward, cyber criminals typically communicate their ransom demand electronically with instructions for payment. One practice described seeing a "skull and bones image" on their laptops with a link to instructions to pay the ransom demand in bitcoin.
Kathy Hughes
Although you never want to pay criminals, it's ultimately a business decision that every organization that's affected by ransomware has to make, says Kathy Hughes, chief information security officer at Northwell Health in New York. "They need to weigh the cost and impact from paying a ransom against what they are able to recover, how long will it take, and how much will it cost," she says.
While it may be tempting to pay a small ransom, such as $5000, cyber experts warn that it doesn't guarantee full access to the original data. About one third (34%) of healthcare organizations whose data were encrypted paid the ransom to get their data back, according to a June 2021 HHS Report on Ransomware Trends. However, only 69% of the encrypted data was restored, the report states.
Criminals may also demand another payment, called "double extortion," by threatening to post any extracted private patient or employee data on the dark web, says Hughes.
Practices sometimes choose not to pay the ransom when they know they can restore the backup files and rebuild the system for less than the ransom amount. However, it can take weeks to rebuild a fully operational IT system; meanwhile, the organization is losing thousands of dollars in patient revenue.
Criminals may retaliate against a practice that doesn't pay the ransom by wiping the hard drives clean or posting the extracted medical, financial, and demographic data of patients on the dark web. Patients whose information has been extracted have filed class-action lawsuits against medical practices and organizations such as Scripps Health, in San Diego, California, claiming that they should have done more to keep their private information safe.
Experts also advise reporting the attack to local law enforcement, who may have cyber security experts on staff who will come on site and investigate the nature of the attack. They may also request help from the FBI's professional cyber security team.
Having a cyber insurance policy may help offset some of the costs of an attack. However, make sure you have a good cyber security program, advises DeFord.
He suggests that small practices partner with large health systems that can donate their cyber security technology and related services legally under the updated Stark safe harbor rules. Otherwise, they may not meet the insurer's requirements, or they may have to pay significantly higher rates.
Who Is an Easy Target?
Cyber criminals look for easy targets, says Hughes. "A lot of threat actors are not targeting a specific practice — they're simply throwing out a net and looking for vulnerable systems on the internet."
Small medical practices are particularly vulnerable to ransomware attacks because they lack the resources to pay for dedicated IT or cyber security staff, says Hughes, who oversees security for more than 800 outpatient practices. They're not replacing outdated or unsupported equipment, applying regular "patches" that fix, update, or improve operating systems, application software, and Internet browsers, or using password controls.
As large practices or health systems acquire medical practices with different EHR systems, security can be more challenging. Hughes says, "Our goal at Northwell is always to get them onto our standard platform, where we use best practices for technology and security controls. In the world of security, having fewer EHR systems is better so there are fewer things to watch, fewer systems to patch, and fewer servers to monitor. From our point of view, it makes sense to have a standardized and streamlined system."
Still, some practices may feel strongly about using their EHR system, says Hughes. When that happens, "We at least bring them up to our security standards by having them implement password controls and regular patches. We communicate and collaborate with them constantly to get them to a more secure posture."
Cyber security lapses may have increased during the pandemic when practices had to pivot rapidly to allow administrative staff to work remotely and clinical staff to use telehealth with patients.
"In the rush to get people out of the building during the pandemic, healthcare organizations bent many of their own rules on remote access. As they moved quickly to new telehealth solutions, they skipped steps like auditing new vendors and cyber-testing new equipment and software. Many organizations are still cleaning up the security 'exceptions' they made earlier in the pandemic," says DeFord.
Hackers Are Sophisticated Criminals
"The version of a hacker a lot of us grew up with — someone in a basement hacking into your environment and possibly deploying ransomware — isn't accurate," says DeFord. What experts know now is that these cyber criminals operate more like companies that have hired, trained, and developed people to be stealth-like — getting inside your network without being detected.
"They are more sophisticated than the healthcare organizations they often target," adds DeFord. "Their developers write the encryption software; they use chatbots to make paying the ransom easy and refer to the people they ransom as clients, because it's a lucrative business," says DeFord.
These groups also have specialized roles — one may come in and map your network's vulnerabilities and sell that information to another group that is good at extracting data and that sells that information to another group that is good at setting off ransomware and negotiation, says DeFord. "By the time a ransomware attack occurs, we often find that the bad guys have owned the network for at least 6 months."
Patient records are attractive targets because the information can be sold on the dark web, the part of the internet that's unavailable to search engines and requires an anonymous browser called Tor to gain access, says Hughes.
Criminals steal patient identifiers such as social security numbers and birthdates, payment or insurance information, as well as medical histories and prescription data. Other people buy the information for fraudulent purposes, such as filing false tax returns, obtaining medical services, and opening credit cards, says Hughes.
Lately, criminal gangs appear to be targeting the IT or EHR systems that practices rely for clinical care and making them unavailable. By locking EHR files or databases and holding them for ransom, criminals hope practices will be more likely to pay, says Hughes.
They also don't want to get caught, and this tactic "gets them in and out faster" than extracting and posting patient data, although criminals may use that as a threat to extort a ransom payment, says Hughes.
Fines for Lax Privacy/Security
Breaches of patient records have consequences that include being investigated by federal or state authorities for potential HIPAA privacy and security violations and fines. Recently, the HHS announced a $1.5 million settlement — the largest to date — with Athens Orthopedic Clinic, PA, in Georgia for not complying with the HIPAA rules.
When breaches of 500 or more patient records occur, medical groups are required to notify the HHS Office of Civil Rights (OCR) within 60 days, as well as all the affected patients and the media. Some organizations offer free credit monitoring and identity theft protection services to their patients.
Information about the breaches, including company names and the number of affected individuals, is posted publicly on what cyber experts often call "OCR's wall of shame."
Strengthen Your Defenses
The FBI and the HHS warned healthcare professionals and organizations in 2020 about the threat of increasing cyberattacks and urged them to take precautions to protect their networks.
Here's five actions you can take:
Back-up your files to the cloud or off-site services and test that the restoration works.
Implement user training with simulated phishing attacks so the staffwill recognize suspiciousemails and avoid actions that could launch malware attacks.
Ensure strong password controls and that systems are regularly patched.
Require multifactor authentication for remote access to IT networks.
Set anti-virus/anti-malware programs to conduct regular scans of IT network assets using up-to-date signatures.
