I have been planning to write a blog post on ransomware since spring 2015 when I was a victim of ransomware. I got a message that, unless I paid more money than I had available, all my data would be gone. Fortunately, I had most of my data backed up in the cloud, so when I did not pay the ransom (by PayPal or bitcoin, no less), I lost only files that were on my laptop but not yet backed up in the cloud. Not that this in and of itself wasn’t a hassle. I had to recreate very complex motions in a court-martial in which I was defending a soldier wrongfully accused of rape. And I did not feel that I could ethically bill the client for re-creating the motions (which ended up being instrumental in getting the charges dismissed). And If I hadn’t had the majority of my files backed up, it would have been catastrophic. I would have lost the files on all of my books, which would make it vastly more difficult to update them when the law changed and it was time for the next edition. And I would have lost all my client files. And I just recently got a query from a physician practice asking whether the loss of most of their data to ransomware was reportable to DHHS. Hence, this blog item on ransomware.
Ransomware is a type of malware that restricts access to the infected computer system in some way and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a so-called trojan horse, whose payload is disguised as a seemingly legitimate file, much like the Trojan Horse that looked like a gift to the Trojans, but was filled with Greek soldiers who came out of the wooden horse after it had been brought within the walls of Troy. In short, ransomware is an access-denial type of attack that prevents legitimate users from accessing files.
Could ransomware be a threat to the health care industry? Yes, and it already has resulted in ransoms and lost data. In March, the Hollywood Presbyterian Medical Center in Los Angeles declared a state of emergency when hackers took its data hostage. The two-week standoff ultimately ended with the institution paying a $17,000 ransom. Following that ransomware attack, two other hospitals—Methodist Hospital in Kentucky and Ottawa Hospital in Ontario—had such attacks. The Kentucky attack is ongoing, while the one in Ottawa ended without any harm induced or ransom paid because Ottawa Hospital was able to remove the ransomware off its system without paying.
None of these three attacks resulted in a compromise of patient information confidentiality because it is harder and riskier to sell data to identity thieves.
So what does this ransomware have to do with HIPAA? After all, patient confidentiality was not breached. Remember, however, that HIPAA requires covered entities and business associates to “ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.” 45 C.F.R. §164.306(a) (emphasis added). If ransomware shuts down your EHR or other system containing electronic protected health information (“EPHI”), the availability is certainly compromised.
So how do you implement reasonable and appropriate security measures against ransomware? One expert suggests the following:
- Make safe and secure backups. If a hacker steals something like your family photos or work documents and demands money for their safe return, the joke is on them if your files have all been properly backed up.
- Update and patch your systems. Hackers are always on top of their game. It’s like playing a constant game of cat and mouse, cops and robbers, or cowboys and Indians. That’s why you must keep all of your systems up-to-date. Security researchers are always finding holes for hackers to exploit and issue patches to cover those holes. Most updates take only a click or two, and those clicks could be all that separate you from being a cyberattack victim.
- Use antivirus software. Why you wouldn’t be using antivirus software in the first place is incomprehensible. It’s the most basic form of security and can stop most basic threats and warn you if any viruses happen to make it through.
- Educate your workforce. Remember the CEO scams? Those scams are on an alarming increase, so one of your most valuable tools is education and awareness. If you, or any of your employees, know how to spot the warning signs of a scam, chances are that you’ll be less likely to fall for it. The “CEO Email Scam” dupes employees into wiring money by using bogus messages from the boss. The scammers assume the identity of a company CEO or sometimes simply send an email so close to the correct email that the recipient never notices the difference. The requests go to someone in the company authorized to deal with money, usually demanding quick action—and confidentiality—because of a pending business deal. It’s been so successful that the FBI has issued an announcement citing complaints in every state and in 79 countries.
- If hit, don’t wait and see. If you even suspect that you’ve been hit, take immediate action. Quickly disconnect your computer from the network and contact authorities for major attacks, such as if you get hit with ransomware. Meredith Cunningham, “Don’t be the next ransomware victim: 5 simple steps to protect yourself,” at Kim Kommando, America’s Digital Goddess.
I would add to immediately contact any relevant insurance carriers, such as a HIPAA or a cybersecurity carrier.
I would also suggest that you update your risk analyses, as required by 45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) to include the risk of ransomware. Your presumably limited funds can be better spent on your patients/clients than some malicious code writer in Russia or elsewhere.
One of our favorite IT guys, who has done consulting to DOD, and prefers to remain unnamed, recommends taking the following steps to protect your systems at home and at the office. He calls them housekeeping items for a new WiFi network:
- Separate networks for public WiFi vs. office network WiFi. Offering free WiFi is great customer service for the long waits in the doctor’s office, but make sure that the free WiFi is on a completely separate, secured WiFi network. With free WiFi comes the risk of hackers uploading malware and infiltrating all users. Keep on top of security patches, and change the password frequently.
- Download firmware updates for your new WiFi router. These firmware updates are put out by the manufacturer and address any known security holes since the device was shipped to the store.
- Change the default admin password for your wireless router. It is the most common way that hackers infiltrate networks. It is easy to find default admin passwords for different makes and models of wireless routers. By changing this default password, you close one avenue down for hackers to post malware to your network.
- Disable the SSID broadcast of your wireless network. In other words, don’t share the name of your network by default. This disabling will make your wireless network invisible to the world unless you have some serious, high-end hacking chops. Making your network invisible will help reduce war-driving attacks on your network. If they don’t see it, they probably won’t take time to find it. They’ll just go after your neighbor’s WiFi instead. It also acts like a two-factor authentication because you will need to give folks the name of your WiFi network and a password for them to use it.
- Finally, if you want to really make sure that no one is able to get in, use MAC address (media access control or physical address) filtering on your wireless router. By setting a specific list of device MAC addresses for your wireless router, you limit the chance of some evildoer gaining access to your network and wreaking havoc with malware and other nasty viruses. Every device that can connect to a network has a MAC address, including phones, tablets, computers, printers, and more.