Ransomware Attacks Hit 2 More Healthcare OrganizationsSecurity Advisers Offer Risk Mitigation Tips
Two ransomware incidents recently reported to federal regulators as health data breaches illustrate that the surge in such attacks shows no signs of abating.
Among the recent ransomware-related data breaches reported to the Department of Health and Human Services' Office for Civil Rights were incidents at Woodlawn Dental Center based in Cambridge, Ohio, and Mat-Su Surgical Associates in Palmer, Alaska.
Woodlawn Dental Incident
The HHS OCR HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals, shows that Woodlawn Dental reported on May 18 that a breach affected more than 14,400 individuals.
In a notification statement, Woodlawn says on March 18, it suffered a ransomware attack on its computer systems.
"We identified the attack almost immediately and were able to restore our systems from secure backup hard drives," the statement says, adding that no ransom was paid.
"Although ransomware attacks do not typically access personal information, in an abundance of caution, we are letting individuals know that their health records were encrypted," the statement says.
Data potentially exposed in the breach include patients' names, addresses, Social Security numbers, dates of birth plus medical insurance and related health information, the practice says.
Woodlawn declined Information Security Media Group's request for additional details about the reported ransomware data breach.
Mat-Su Surgical Incident
The HHS OCR website shows that on May 15, Mat-Su Surgical reported a breach affecting more than 13,000 individuals.
In a notification statement, Mat-Su Surgical says that on March 16, it discovered that some of its files were encrypted, preventing access to the practice's system.
Mat-Su Surgical hired independent computer forensic experts "who determined that an unauthorized individual may have gained access to files stored on our system that contained some of our patients' protected health information," the statement notes. "Unfortunately, the investigators were unable to identify all files that may have been viewed by the unauthorized individual."
PHI potentially exposed includes patient names, addresses, Social Security numbers, diagnosis and treatment information, test results and health insurance information, the statement says.
The practice is offering affected individuals free credit monitoring and identity theft protection, the statement notes.
Mat-Su Surgical says it has "taken steps to minimize the risk of this kind of event from happening in the future, including resetting all passwords and putting additional controls in place for any type of remote access to our systems."
Additionally, the practice says it is reviewing its policies and procedures to ensure that the appropriate controls are in place to protect PHI.
Mat-Su Surgical did not immediately respond to an ISMG request for additional details about the ransomware incident.
Uptick in Assaults
Ransomware and other schemes, including phishing scams, have been spiking in recent months as the healthcare sector and other industries have struggled with responding to the COVID-19 pandemic (see: Ransomware Slams Healthcare, Logistics, Energy Firms).
Healthcare organizations should take a number of critical steps to prevent falling victim to ransomware, says Tom Walsh, president of consulting firm tw-Security.
"The most important step in prevention of ransomware is workforce awareness," he says.
"Because phishing emails are common and getting more sophisticated, employees could be easily tricked into clicking on a malicious hyperlink embedded in an email or in an attachment," he says. Organizations need to continue educating their workforce on techniques for preventing downloading malicious code, he adds.
Ransomware readiness assessments also are essential, Walsh says, "to determine if safeguards and controls are adequate and if their response procedures address HHS OCR reporting requirements."
Multifactor authentication for any remote access also helps reduce the likelihood of an unauthorized user gaining access to the environment, says Dustin Hutchison, president and COO of security consultancy Pondurance. "Additionally, organizations need to continue evaluating ways to segment their networks to limit access and exposure in the event of unauthorized access," he says.
Woodlawn Dental indicates in its notification statement that it was able to quickly restore its systems with backup hard drives, which points to the need for all organizations to have a good back-up plan, Walsh notes.
It's also important to ensure there is an "air gap" to prevent the data backups from being infected with ransomware, he notes. "This may mean going old school and having at least one copy of data backups on removable media - encrypted of course - that is isolated from the networked backup system."
Walsh also advises organizations to "conduct a tabletop exercise using ransomware as the scenario."
To prepare for a ransomware attack that impedes access to patients' electronic health records, "each organization should have written 'downtime procedures' and printed forms to ensure the continuity of business operations," he says.
Hutchison says it's critical to test backups and contingency plans for key patient care systems, such as EHRs. "Also look at facilities in surrounding areas to enter into reciprocal relationships within the event of business disruption is necessary," he advises.
"Cyber incidents are not slowing down, and the traditional mode of preparation through risk assessments and other means have also been disrupted, so relying on the known best practices, such as MFA, backups and testing, increased user awareness, and monitoring is key."