Threats from ransomware are hitting big institutions and people working from home at alarming rates. Cybercriminals are finding vulnerabilities during the COVID-19 pandemic and are breaking in to systems to steal data and demand ransom payments. Healthcare is especially at risk.

There is a remedy for these threats, however. You can greatly lower the risk, and prevent an attack, through workforce training, malware protection and data back-up, all requirements of HIPAA compliance. Most cyber invasions still take place through email – so cybersecurity training for the workforce is critical to help staff stay on high alert and avoid phishing. Training should be provided on a regular basis, not just once a year, and staff should receive security reminders to help them stay aware and sharp.

You should also perform daily offsite data back-up to a location separate and unconnected to your main system. When all of your data is backed up, and inaccessible to attackers, there is no need to pay a ransom.

University of California San Francisco Med School Paid $1.14 Million Ransom

In early June, the University of California San Francisco experienced a ransomware attack that encrypted and locked data on several servers in the medical school. UCSF is one of the leading academic institutions researching COVID-19 treatments.

Although the university explained that no patient data was likely affected, the attack potentially harmed the COVID-19 research. As soon as the attack was detected, the university managed to stop its further spread, but by then data on several of their servers were inaccessible – locked by the attackers.

The ransom message from the attackers threatened destruction of the data unless the university paid $3 million – a negotiation then took place over a day. Eventually, in order to protect the COVID-19 research, the university decided to pay a ransom of $1.14 million to obtain decryptor keys to unlock the servers. The university says that it is now working with the FBI to investigate what happened and evaluate the damage.

Ransomware creates dangerous choices. Most security and law enforcement experts, including the FBI, strongly advise against paying ransom, because it helps finance additional attacks. And there is no guarantee that the criminals will not keep a copy of the data and make additional demands. Funding criminals perpetuates cybercrime.

Other Big Organizations are Hit with Ransomware

A string of ransomware attacks in the last several months has occurred across healthcare institutions in the U.S. and Europe. Emails typically use phishing lures, like fake Covid-19 test results, and send millions of emails to thousands of organizations – the sheer volume of attacks increases the chances of success, and unfortunately, some will pay a ransom because the loss of data is so damaging.

The article linked above describes four very recent ransomware attacks that “targeted health systems in Rhode Island and Pennsylvania, an orthopedic practice in Florida and a pain clinic in Massachusetts”. It is not known yet whether ransom was paid in those incidents.

Since then, the latest news describes a massive, sophisticated series of attacks by a Russian group calling itself Evil Corp. The cybercriminals were preparing to attack dozens of U.S. corporations, including eight Fortune 500 companies. One of their strategies included exploitation of networks created for employees working from home. The cybersecurity firm Symantec identified the threat and issued an urgent warning on Thursday, June 25.

Ransomware Hits Home

The massive shift to working from home has created opportunities for cybercriminals.

We wrote about the vulnerability of virtual private networks last week, and this week the news is even more alarming. (A VPN is the connection of remote work sites to an organization’s main central system.) If not done carefully with the right security measures, a VPN can be easier for a cybercriminal to invade.

The Russian ransomware group Evil Corp. designed the malware to target virtual private networks and indirectly hit the larger organization. It didn’t break in to the VPN itself, but the malicious code was able to identify who the VPN user (the person working from home) worked for, and then when the VPN user visited a public or commercial website, their computer was infected. As the user returned to the VPN, the infection traveled to their employer. The ransomware hit nearly all sectors, with manufacturing, IT and media and communications receiving the most hits. Healthcare, energy, finance, transportation and hospitality also were affected.

Although the U.S. Justice Department indicted leaders of Evil Corp. in December, the group has come back in force since May. Concerns about election security are now top of mind.

What Does this Have to do with HIPAA?

Under HIPAA ransomware is presumed to be a breach, so it’s critical to do as much as possible to prevent it, and if it happens, to know what to do.

HIPAA compliance is a blueprint for cybersecurity safety. Start with an effective Risk Analysis – Risk Management plan that truly complies with HIPAA, and add repeated workforce cybersecurity training. If ransomware hits, take immediate steps to limit the damage, obtain a thorough forensic analysis and alert the FBI. Be sure to evaluate whether the “presumed breach” was a reportable breach under HIPAA, and follow the breach notification rule.

If you need help understanding how HIPAA compliance can reduce your risks, we have answers.

Free HIPAA Checklist
What best describes you?