Physician practices and the challenge of ransomware

The rash of recent cyberattacks has caused a great amount of concern not only for cybersecurity and IT professionals but also with physician practice leaders. A catastrophic loss of data or captured data could be devastating to a practice. Healthcare institutions are increasingly at risk and typically lack the resources and expertise necessary to avoid or counter a ransomware attack.

From a federal government enforcement perspective, MGMA has argued that the government’s current approach to ransomware — equating data held hostage to data being breached — is counterproductive and must be modified.

The ransomware threat

A type of malicious software (malware), ransomware is unique from other forms of cyberattack, with its specific goal of denying the organization access to its own data, as opposed to removing or copying the patient’s health and financial data found in a medical record. Typically, a ransomware attack will encrypt (lock) a practice’s data with a “key” known only to the hacker who inserted the malware. The hacker then demands a ransom be paid to release the data through use of a decryption key. In many cases, the perpetrator will instruct the victim to pay a ransom via an untraceable cryptocurrency, such as Bitcoin. In some cases, the healthcare sector has seen these criminals deploy ransomware with the goal of damaging or destroying patient data. Ransomware is therefore distinct from other breach-type events, such as a stolen laptop, in which protected health information (PHI) has been improperly disclosed to unauthorized individuals.

Cyberattacks do not simply affect small and technically unsophisticated organizations. Many large entities, deploying complex security measures, have also experienced cyberattacks. For example, Allscripts, one of the nation’s leading EHR software vendors, was devastated earlier this year by a SamSam cyberattack that significantly affected two of its data centers in Raleigh and Charlotte, N.C. As a result, many of its 45,000 physician practice clients had their EHR system disabled. In another example, the Erie County (N.Y.) Medical Center was hit by a similar strain of SamSam ransomware in April 2017. It cost the center millions of dollars to repair and they had no access to their electronic patient data for six weeks.

Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure to deny the organization access to its own data. Recently, a government interagency report disclosed that there have been an estimated 4,000 daily ransomware attacks since early 2016, up from the 1,000 daily ransomware attacks reported in 2015. In its 2018 Data Breach Investigations Report, Verizon states that ransomware attacks have doubled in the last year alone, and that ransomware is the more prevalent variety of malicious software, found in 39% of malware-related cases.

A 2017 study of about 1,300 physicians conducted by the American Medical Association found that more than four in five U.S. physicians (83%) have experienced some form of a cybersecurity attack. Making it even more challenging for practices is that, unlike a natural disaster or similar type of threat to the practice and its patient data, ransomware is not easily anticipated or detected. A U.S. Department of Health and Human Services (HHS) fact sheet states that “[u]nless ransomware is detected and propagation halted by an entity’s malicious software protection or other security measures, an entity would typically be alerted to the presence of ransomware only after the ransomware has encrypted the user’s data and alerted the user to its presence to demand payment.”

As the FBI states on its website, “[r]ansomware attacks are not only proliferating, they’re becoming more sophisticated.” Whereas ransomware was typically delivered via spam emails, as anti-virus and anti-spam software improved, criminals are now deploying phishing emails to specific targets. Most concerning, some cybercriminals can now bypass emails completely by leveraging unpatched software on a target’s computer. With criminals able to deploy this level of technical sophistication, many organizations are simply unable to adequately defend themselves.

The inability to access important data that a practice maintains following a ransomware attack can be catastrophic for the organization. Sensitive patient information may be inaccessible, regular operations (including the ability to treat patients) may be disrupted, lost claims data could result in financial losses, expenses may be incurred to restore systems and files, and the reputation of the organization may be harmed. A 2017 study conducted by Osterman Research found that small companies, on average, lost more than $100,000 per ransomware incident due to downtime alone. One in six organizations experienced a cyberattack that caused 25 hours or more of downtime. Unrecoverable clinical information is also a patient safety issue, affecting a physician’s ability to deliver high-quality patient care.

Physician practices most vulnerable to cyberattack are smaller organizations and those located in rural areas. These practices simply are not equipped to ward off sophisticated cyberattacks and typically do not have sufficient internal technical expertise or the budget to effectively meet these new cybersecurity challenges.

MGMA urges a new enforcement approach

The federal government considers a ransomware attack a data breach; thus physician practices attacked by ransomware are subject to the same process for both notification and enforcement as defined in the Breach Notification Rules of the 2013 HIPAA Omnibus Rule. MGMA asserts, however, that this equating of ransomware with a traditional breach of PHI is inappropriate and should be changed.

In a letter to Alex Azar, Secretary of the U.S. Department of Health and Human Services (HHS), the Association urged a modification to the current federal government’s HIPAA Privacy and Security enforcement policies regarding ransomware. MGMA recommends that the government move away from a culture of “blaming the victim” to one focused on encouraging transparency and augmented education. This change will lead to improved cyber hygiene in the healthcare environment and a reduced threat to patient records and patient safety.

Encouraging practices to come forward voluntarily when they experience a cyberattack will result in real-time reports identifying the tactics these criminals are using and the software they are deploying. This data can also provide the government the opportunity to feed actionable information to the organization experiencing the attack while amassing the intelligence necessary to prevent future cyberattacks.

MGMA recommends that HHS:

• Adopt a ransomware policy that encourages physician practices to report cyberattacks and collaborate with the federal government in an investigation to mitigate the damage and ensure the safety of their patients.
• Create a process of voluntary ransomware reporting to initiate an investigation. HHS should provide a platform where physician practices can voluntarily report, in real-time, a ransomware cyberattack as it is occurring or if one is suspected. This action should begin an urgent, cooperative investigation to preserve the integrity of the extorted data and study the attack to prevent further damage related to the malware. 
• Develop an HHS website focused solely on cybersecurity for healthcare providers. This website would present the latest information on cybersecurity and promote practical, easy-to-comprehend guidelines, best practices and educational resources.

Ransomware is expected to increasingly affect physician practices. Not only must practice leaders take the necessary steps to reduce the chances of a cyberattack occurring and minimize its impact on practice operations if one does occur, the federal government must partner with practices in this fight against cyberterrorism. Creating a positive, collaborative environment of transparency and information sharing as well as increasing provider outreach and education would be important steps in the battle against ransomware.

Cybersecurity action steps

The threat of cyberattacks against healthcare organizations has escalated in recent years and practice leaders need to be vigilant in protecting patient data and the practice itself. The following steps can mitigate the risk of cyber incidents:

1. Conduct a complete HIPAA Security Risk Assessment. The security assessment should not only review issues related to your practice’s internet use and the potential of an external cyberattack, but also the organization’s administrative, physical and technical safeguards.
2. Keep computer operating systems and antivirus software up-to-date. Using an older version of an operating system or using a version that has not been patched can make these systems extremely vulnerable to a cyberattack.
3. Encrypt all files and systems that contain patient information. Encryption programs can be applied to individual computer files or entire computer drives. Note that lost or stolen patient data that has been encrypted is not considered a breach under federal law.
4. Deploy strong user authentication. Your practices should use multifactor authentication or other types of security that ensure only appropriate individuals have access to the data.
5. Ensure that your business associates are protecting your data. If your practice contracts with a business associate to perform a function with patient data, you should ensure that these third parties are instituting safeguards to protect against cyberattacks.
6. Consider cyber insurance. Many medical liability carriers are now offering cybersecurity insurance policies. Review these products for applicability to your practice and for what they do and do not cover.
7. Require training for all practice staff. Cybersecurity training should be administered to all clinical and administrative staff. Do not forget to include part-time workers and volunteers in this training and consider a regular re-training schedule for all staff.
8. Instruct staff not to open emails, attachments or links from unfamiliar senders and report suspicious messages to their internal IT team or external IT vendor immediately.
9. Back up patient data. Review your options with third-party data back-up vendors and strongly consider a secure, off-site data location.
10. Conduct periodic staff and system tests. These tests could include staff behavior regarding outside emails and the security of firewalls, networks and web servers.