Tips to Avoid and Mitigate Ransomware Attacks

Ransomware attacks are on the rise and are a danger to the healthcare industry. Hospitals, ambulatory surgery centers, and private practices must all take precautions to protect their data and their patients.

Data Breach on the Rise

In January 2020, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day. In 2019, Health Insurance Portability and Accountability Act (HIPAA) covered entities and their business associates reported 510 data breaches. In July 2019, 11,500,000 individuals were reportedly affected by Optum360, LLC’s data breach and 10,251,784 individuals were affected by Laboratory Corporation of America Holdings d.b.a. LabCorp’s data breach.

Many data breach incidents are ransomware attacks. Ransomware attacks harm everyone. Research recently conducted by Comparitech found over 172 ransomware attacks on United States healthcare organizations since 2016. Comparitech found these attacks cost over $157 million. Taking steps to reduce the risks of data integrity attacks can significantly impact how quickly an organization can rebound from an attack, as well as mitigate the damage done by the attack.

Here are just a few of the many ransomware attacks that have happened over the last few months.

Enloe Medical Center

Chico, California-based Enloe Medical Center (Enloe) was forced to reschedule some elective procedures following a ransomware attack that affected its entire network infrastructure. It took almost two weeks for Enloe to achieve full-fledged restoration of its core systems. Upon discovery of the January 2, 2020 incident, Enloe’s comprehensive emergency protocols were immediately implemented to safeguard patient records.

“Despite this challenge to our operations, our ability to provide care for our community during this IT incident stems from our frequently practiced system downtime and data backup protocols,” said Mike Wiltermood, Enloe’s president and chief executive officer. “Our caregivers have done a remarkable job utilizing our downtime procedures to ensure patient safety while we have worked toward restoring affected systems.”

Enloe’s information technology personnel was able to get major clinical programs restored and back online within three days of the incident. Ancillary clinical programs were restored and back online shortly thereafter. At this time, there is no indication or evidence that suggests patient data was accessed or exfiltrated.

“Upon learning of this incident, we immediately took steps to restore critical operating systems and ensure the security of our network. At this point in time, we have no indication or evidence that suggests patient medical data has been compromised,” said Kevin Woodward, Enloe’s chief financial officer.

Children’s Choice Pediatrics

PediHealth, PLLC, d/b/a Children’s Choice Pediatrics (“Children’s Choice”), in December 2019, notified patients of a data security incident that may have involved the personal and protected health information of 12,689 patients.

McKinney, Texas-based Children’s Choice discovered in October 2019 that it was the victim of a ransomware attack that encrypted the data stored in its network. Children’s Choice took action to secure the network and retained cybersecurity experts to assist with an investigation. Children’s Choice attempted to restore the infected data. However, some patient records were irretrievably deleted.

To prevent similar events from occurring in the future, Children’s Choice is strengthening security measures and ensuring its networks and systems are secure.

Children’s Choice sent notification letters to the potentially impacted patients to notify them about this incident and to provide resources to assist them including steps to monitor and protect personal information.

Central Kansas Orthopedic Group

Central Kansas Orthopedic Group (CKOG), based in Great Bend, Kansas, discovered that an unauthorized party or group gained access to its computer system in November 2019. CKOG learned of this intrusion when the attacker deployed ransomware.

CKOG did not pay the demanded ransom and was able to restore its system from available backups. All medical records were restored. However, it is possible an unauthorized person or persons had access to medical records of 17,214 patients. The information in the patient records included: address, birthdate, driver’s license number (or other form of state-issued identification), health information related to treatment at CKOG or referring providers, health insurance number, social security number, and email address.

Since contacting a third-party forensic company, CKOG is working to enhance its overall security platform and security protocols.

What Can Be Done?

The National Cybersecurity Center of Excellence (NCCoE) has announced its intent to “establish tools and procedures to defend, detect, and respond to data confidentiality events.” To facilitate this effort, it released drafts of National Institute of Standards and Technology (NIST) Cybersecurity Special Publications. The publications are practice guides meant to benefit executives, chief information security officers, system administrators, or those who have a stake in protecting their organizations’ data, privacy, and overall operational security.

The guides are “Detecting and Responding to Ransomware and Other Destructive Events” and “Identifying and Protecting Assets Against Ransomware and Other Destructive Events.” The comment period on the guidelines closes March 20, 2020.

Detecting and Responding to Ransomware and Other Destructive Events

“Detecting and Responding to Ransomware and Other Destructive Events” focuses on detailed methods and potential tool sets that can detect, mitigate, and contain data integrity events in the components of an enterprise network. It also identifies tools and strategies to aid in a security team’s response to such an event.

The risks of data integrity attacks can be reduced using capabilities such as: integrity monitoring, event detection, vulnerability management, reporting capabilities, and mitigation and containment.

Integrity monitoring provides capabilities for comparing current system states against established baselines. The baseline is used for comparison against the system’s state during an attack.

Event detection provides capabilities for detecting ongoing events and can be composed of intrusion detection, malware detection, user anomaly detection, and others, depending on the established threat model of the organization.

Vulnerability is weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Vulnerability management provides a mechanism for analyzing various system and network components, for a better understanding of resolved and unresolved vulnerabilities in the enterprise.

Reporting provides the capability to report on all activities within the enterprise and within the reference architecture for analysis by a security team.

Mitigation and containment respond to data integrity events by containing and limiting the threat’s ability to affect the system.

Forensics/analytics provide the capability to probe/analyze logs and machines within the enterprise to learn from data integrity events.

Identifying and Protecting Assets Against Ransomware and Other Destructive Events

“Identifying and Protecting Assets Against Ransomware and Other Destructive Events” focuses on methods to effectively identify assets that may become targets of data integrity attacks. It also explores methods to protect these assets against data integrity attacks through the use of audit logs, vulnerability management, maintenance, and other potential solutions.

The risks of data integrity attacks can be reduced using capabilities such as: secure storage, backup capabilities for databases, virtual machines, and file systems, log collection, asset inventory, and file integrity checking mechanisms.

Secure storage allows data storage with additional data protection measures, such as Write Once Read Many (WORM) technologies. Data encryption can also be used, but this will not inherently protect data against corruption.

The backup capability enables backups of the entire database. In the event of a deletion, these backups can be used to restore the database.

Logging records and stores all the log files produced by the components within the enterprise. Logging provides a baseline for events across the enterprise, including typical database activity.

An asset inventory implies that an organization has access to the skills and resources required to implement an asset identification and protection system.

The integrity monitoring capability provides a baseline for database activity as a point of comparison post-deletion. This baseline can be used in the event of an attack to detect and alert on changes within the enterprise as well as aid any necessary recovery.

Repercussions for Neglecting Cybersecurity

The rise of ransomware attacks is a sad reality that cannot be ignored. Hospitals, ambulatory surgery centers, and private practices that have neglected their cybersecurity may find themselves liable. As the number of data breach incidents continues to rise, exposed patients have found recourse in the courts.

OTW has been covering the rising number of cybersecurity data breach lawsuits. For OTW’s previous coverage of recent cybersecurity data breach lawsuits, see “Victims Can Sue Ortho Clinics if Data Hacked,” “Banner Health Agrees to Pay $6 Million for Data Breach,” and “Four Patients Sue DCH Health System After Ransomware Attack.”