A string of data dumps this past week reveals how twisted and dark the hacking crisis in healthcare has become. Three major ransomware groups have published data they stole from healthcare entities, exposing thousands of individuals’ private information on the dark web. The groups calling themselves Conti, REvil and Avaddon leaked data stolen from a medical center, several health systems, and a business associate IT vendor with some clients in the healthcare sector.
Because some of the attacks may not even have included “ransom notes” requesting payment to avoid publication, the criminals’ motives are not clear. With no clear motive, the cyber criminals seem particularly detached, even cold, without regard for the individuals whose lives are damaged.
Although ransomware has been increasing rapidly over the past several years, it has gotten worse recently. Since October 2020, federal agencies have been warning that ransomware groups have been ramping up their attacks on healthcare. The COVID-19 pandemic made cyber crime worse, as criminals exploited some of the chaos and confusion healthcare organizations faced. At this point in early 2021, cyber crime is still growing – see the February 5, 2021 Ransomware Factsheet from the National Cyber Investigative Joint Task Force.
Another resource to help healthcare providers plan to respond to ransomware attacks and shore up key vulnerabilities to strengthen defenses is one from the Office for Civil Rights (OCR) which enforces HIPAA.
Cyber Attacks Unfolding Since November
Conti – We first wrote about Conti on December 31, 2020, when we learned of the data dump of more than 2 million patients of Leon Medical Center in Miami. Since then, Conti has posted what they claim to be is 2 percent of the overall data they say was stolen from the Rehoboth McKinley Christian Health Care Services in New Mexico. The data published includes files named passports, driver’s licenses, and bill of sale, among others.
REvil – This group appears to have attacked Standley Systems, a document scanning and document management solutions vendor, with customers across a variety of sectors, including healthcare. It has been reported that REvil has leaked at least seven data sets from Ellis Clinic, Enerquest, WW Steel, the Oklahoma Medical Board, Crawley Petroleum, and Chaparral Energy, with a a huge amount of additional data claimed to have been stolen from backups of Standley Systems’ clients. The data published includes employee passports, more than 1,000 Social Security numbers, medical documents, and other sensitive information.
Avaddon – The Avaddon group published a large amount of highly sensitive information from the Capital Medical Center in Olympia, Washington. The data includes driver’s licenses, detailed lab results, patient referral documents, prescription forms, patient procedures, treatments, and diagnoses and faxed patient documents with insurance details, contact information, provider names, and patient assessments.
HIPAA Compliance Strengthens Cybersecurity
In spite of these harrowing developments, healthcare organizations are not helpless and bound to be victimized no matter what. There are defensive measures that can be taken to prevent or lessen the damage that unscrupulous hackers can inflict. HIPAA compliance is a blueprint for defense against cyber crime.
Prevention, Mitigation and Recovery
HIPAA compliance does not need to be expensive or complicated.
It comes down to three key action steps:
- Risk Analysis – Risk Management
- Workforce training
- Data back-ups
There is detail to each of these steps of course. Under Risk Analysis – Risk Management for example, organizations should be using some form of information system activity review, have security incident procedures in place, and a contingency plan. The Security Rule Checklist in The HIPAA E-Tool® covers all these bases.
Workforce training is required by HIPAA, and we include it in The HIPAA E-Tool® Risk Analysis – Risk Management module. Email is still the predominant way that cyber criminals find their way in to organizations. The most sophisticated anti-malware program cannot prevent all human error when it comes to email the workforce receives. People need training to become more savvy and to “Think Before You Click”. We provide content for cybersecurity awareness training, and easy ways to document who has been trained, and dates of training.
Off-site secure daily data back-ups with a reputable provider is the best way to avoid electronic health record (EHR) downtime. Traditional ransomware that locked data and prevented its owner from using it has devastated health care providers who scrambled for weeks to recreate records while they waited. Some paid huge ransoms to unlock their data, which the FBI and cybersecurity experts warn strongly against. (It does not guarantee cooperation from criminals and it encourages them to strike again.)
Understand the Breach Notification Rule
HIPAA compliance is critical for another reason. If an organization becomes a victim of ransomware, or if protected health information is published by the criminals even without the element of ransom, the attack or the publication is presumed to be a breach under HIPAA and triggers the Breach Notification Rule. Healthcare organizations need policies and procedures to know what to do when a presumed breach occurs.
Help from The HIPAA E-Tool®
The easiest way to stay ahead of cyber criminals is to adopt The HIPAA E-Tool® as your compliance solution. We stay on top of the latest guidance from regulators, law enforcement and cybersecurity experts, so you don’t have to.
If you care what OCR thinks, or want to follow the latest from NIST, or the Cybersecurity & Infrastructure Security Agency, join The HIPAA E-Tool® . We update the program every time the law changes or official guidance is updated.
Don’t become a headline in HIPAA disasters. Get help and get started today.