Recent Ransomware Incidents Serve Up LessonsExperts Say Breaches Spotlight Business Associate Risks
Two recent security incidents involving ransomware attacks on vendors serve as the latest reminders about the risks business associates pose to healthcare organizations.
One of the incidents involves California-based Center for Orthopaedics Specialists, which is notifying about 85,000 patients that their data might have been compromised in a ransomware attack on an unnamed IT vendor.
The other incident involves Wichita, Kansas-based medical transcription services vendor MEDantex, which appears to have leaked patient records due to an unsecured web portal following a ransomware attack, blogger Brian Krebs reports.
Krebs reports that the transcription firm recently rebuilt its online servers after suffering a ransomware infestation. The blogger reports that the MEDantex portal was taken down for nearly two weeks, and that it appears the glitch exposing patient records to the internet was inadvertently incorporated into that rebuild.
MEDantex CEO Sreeram Pydeh confirmed those details to Information Security Media Group, adding that the incident appears to have impacted "a few hundred patients records," although the company has about 2,300 physician clients. The company is working with a security firm on the investigation of how the incident happened, he says.
Security experts say both incidents spotlight the risks posed to HIPAA covered entities by their vendors. And they highlight the need for entities to take certain critical steps when there's a security incident involving one of their business associates.
"The number of incidents that covered entities experience that are caused by their vendors, continues to rise," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"While many CEs are trying to keep track and have oversight of their BAs, the vast majority of CEs still do nothing but have them sign a BA agreement, and then answer, usually only once, a security questionnaire of some type," she says. "This is not sufficient."
Center for Orthopaedics Services Incident
The Center for Orthopaedics Services says in a statement that one of its IT vendors recently notified it that "an unauthorized party had illegally accessed COS' computer network."
Working with the affected IT vendor, COS says it immediately launched an investigation into the matter. "The investigation determined that the unauthorized party began attempting to access our system beginning Feb. 18," the statement notes. "The IT vendor indicated that the affected system was permanently taken offline before any patient information could be removed by the unauthorized party."
Malicious software was used to gain access to and encrypt patient data "in the hopes of getting COS to pay money to restore access to the patient data," according to the statement. "To the best of our knowledge, no patient information was removed by any unauthorized party as a result of this event. However, out of an abundance of caution, we are notifying all patients whose information was stored on the compromised system."
COS says it sent a notification letter to all current and former patients or to their legal guardians or representatives.
Data that was encrypted in the ransomware attack potentially included patient names, dates of birth, details about individuals' medical records, and Social Security numbers. COS is offering affected individuals free identity protection services for 24 months.
COS did not immediately respond to an ISMG request for comment. The company's notification posted on its website does not indicate whether a ransom was paid.
KrebsOnSecurity reports that on April 20, it learned that a portion of MEDantex's site, "which was supposed to be a password-protected portal physicians could use to upload audio-recorded notes about their patients was instead completely open to the internet."
In addition, numerous online tools intended for use by MEDantex employees were exposed to anyone with a web browser, including pages that allowed visitors to add or delete users, and to search for patient records by physician or patient name, Krebs reports. "No authentication was required to access any of these pages," the blogger states.
Several MEDantex portal pages left exposed to the internet suggest that the company recently was the victim of WhiteRose, a strain of ransomware, Krebs reports. Although many of the exposed documents appear to be recent, some of the records dated as far back as 2007.
As of April 26, MEDantex's website was still down.
Krebs reports that Cooper University Health in Camden, N.J., is among at least 12 large healthcare organizations across the U.S. that were reportedly listed as clients on the MEDantex website before it was recently taken down for repair.
However, Phil Curran, Cooper University Health chief information assurance and privacy officer, tells ISMG that his organization is not a client of MEDantex.
"Cooper has no record of MEDantex being a vendor for Cooper. We have reviewed our contract database, our BA database, our accounts payable database and have no record of MEDAntex being a vendor," he says.
"Cooper has not heard from MEDAntex. We will be reaching out MEDantex. Until we hear from MEDantex, we will not be able to determine if Cooper patients are affected."
Nevertheless, Curran says covered entities need to take critical steps to minimize risks posed by business associates.
"During the contracting phase, healthcare entities must coordinate with their vendor on how the vendor will report the breach," he says. "The coordination is more than the timeframe the vendor needs to report to breach."
Curran stress that the coordination also should include:
- Who will report the breach to HHS Office for Civil Rights and to the affected patients?
- Whom and how should the vendor contact at the covered entity?
- Will the entity receive a copy of the breach risk assessment?
- Will there be update meetings incident with the CE, and how often?
"I would also suggest that the entity create an e-mail distribution list of their vendor contacts and send an email to the list on a regular basis to ensure those contacts remain valid," Curran says. "Another suggestion is for the entities to send an email to their vendors asking them if they have had any incidents. Communication between the entities and their vendors will go a long way when a breach occurs."
Other Steps to Take
Herold also recommends several critical steps to take when it comes to dealing with BAs.
Covered entities, she says, should "put more explicit details within their contracts with their BAs. Include specifics for what the BAs need to do on an ongoing basis and as part of their information security and privacy management program."
Regarding ransomware, she says, "be sure to indicate that regular training with ongoing frequent reminders about security and malware ... will be provided."
CEs should also ensure that their cyber insurance coverage includes "ransomware in not only their organization, but also the impacts that the CEs could have from their BAs' ransomware incidents," Herold recommends.
Keith Fricke, principal consultant at tw-Security, says CEs and BAs need to be equally prepared for attacks and other incidents that potentially impact patient data.
"Make sure good backup processes exist that are executed often. Incident response plans should exist and tabletop exercises conducted at least annually," he says.
"Externally facing systems should be scanned frequently for vulnerabilities. CEs and BAs need to have good change management processes in place that include verifying security is intact after updates and upgrades."