Thwarting Healthcare Cyberattacks: New GuidanceOCR Outlines Steps to Avoid Falling Victim to Rising Threats
Federal regulators have issued new guidance urging healthcare organizations and business associates to bolster their cyberattack defenses. The advice comes after several high-profile attacks, including one targeting MedStar Health that forced the 10-hospital system to temporarily shutter many of its systems to minimize the spread of malware.
The Department of Health and Human Services' Office for Civil Rights' alert warns about the dangers posed by ransomware, nation-state attacks and emerging attacks targeting smartphones. It urges organizations to implement a series of key measures to defend against those threats.
"Recent cyberattacks on major healthcare entities have been eye-opening for some healthcare professionals and have changed many views on security for the healthcare sector," says a March 30 update from the Department of Health and Human Services' Office for Civil Rights. The latest update is part of a cyber awareness initiative that OCR launched in January. The first update focused on ransomware and tech support scams (see OCR: Cyber-Awareness Effort: Will it Have an Impact?).
In the latest alert, OCR notes, "In the past, security compliance personnel and their leadership at healthcare entities may have been more focused on issues like security breaches that involve workforce members losing unencrypted laptops or other mobile devices containing patient's protected health information. While lost or stolen devices still represent a large portion of health industry breaches, healthcare sector organizations must consider new cyber threats, as well."
Cyberattacks involving hackers targeting the databases and network systems of healthcare sector organizations "are becoming more common and sophisticated, and may be different from the privacy breaches many entities have seen previously," OCR notes.
The latest OCR guidance was issued as MedStar Health struggled to recover from a malware attack that shut down its IT systems. As of April 3, MedStar said in a statement that it had brought its virtual private network back online, enabling physicians to remotely access MedStar clinical systems.
Although the Washington Post reported last week that the malware attack involved a request for a ransom, MedStar hasn't confirmed that account, and it has not responded to repeated inquiries from Information Security Media Group.
The attack on MedStar followed ransomware attacks that targeted Methodist Hospital in Kentucky, two California hospitals and Ottawa Hospital in Canada (see Hospital Ransomware Attacks Surge; So Now What?). Plus, Hollywood Presbyterian Medical Center in California grabbed headlines in February when it announced it paid extortionists a $17,000 bitcoin ransom to unlock its data.
In addition to those attacks, Mercy Iowa City on March 25 reported a malware attack potentially exposing information on almost 16,000 individuals. That incident was recently added to the OCR "wall of shame" website of health data breaches as affecting 500 or more individuals.
In a statement, Mercy Iowa City says that it learned of the attack on Jan. 29, when law enforcement advised it that a computer virus had potentially infected some of its systems on Jan. 26, 2016. The organization's investigation determined that some of its computers were infected by a virus designed to capture personal data. However, to date, Mercy Iowa City says it has no evidence that patient information has been used improperly.
The organization is working with law enforcement in its investigation. A Mercy Iowa City spokeswoman declined to discuss details of the attack or type of malware involved, but tells ISMG that ransomware was not part of the incident.
Disruptions to Care
OCR's new guidance notes the various ways that "cyber threats and attacks can disrupt healthcare entities' information systems and cause delays in patient care." For example, certain attacks can slow down the process of providing patients their daily medication or meals; printing patients' labels, ID badges or discharge papers; and accessing patient medical records, the alert notes. "Some attacks can affect life-saving medical devices."
In fact, security experts, as well as government agencies, including the Department of Homeland Security and Food and Drug Administration, have been warning healthcare entities for the past several years about the potential cybersecurity risks to medical devices and other healthcare equipment connected to the internet (see Security Flaws in Legacy Medical Supply Systems Spotlighted).
As for the recent string of ransomware attacks on hospitals, OCR notes that "hackers and ransomware tools are becoming more sophisticated." But to fend against these attacks, which involve attackers locking up databases and files with encryption, OCR suggests healthcare entities take a number of steps that are recommended by the U.S. Computer Emergency Readiness Team, including:
- Performing regular backups of all critical information, keeping data on a separate device and keeping backups stored offline;
- Maintaining up-to-date anti-virus software and keeping operating system and software up to date with the latest patches;
- Not clicking on unsolicited web links in emails, and using caution when opening email attachments.
OCR also notes that the FBI discourages healthcare entities and business associates from paying the ransom, "as this does not guarantee files will be released."
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says that the FBI's advice about not paying a ransom is well grounded, but likely unrealistic for some organizations struggling desperately to unlock their data in the wake of a ransomware attack. "While I understand the reasons behind the FBI's message, I suspect CEs and BAs who find themselves in this position are likely to pay the ransom rather than play chicken with the bad guys."
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes: "It is most important to note that the cyberattacks - whether they be ransomware, infiltration of malware or keyloggers - that permit exfiltration of data have a common denominator of an email phishing attempt that activates when a link included in the message is selected by the recipient." He says healthcare entities must "recognize that the best ways to battle this is through monitoring what is going on in your information system along with user education on how to recognize and avoid opening up emails from sources that are not recognized."
OCR also warns that it's not only ransomware attacks that healthcare entities and business associates need to be worried about. For example, healthcare entities may be the target of hackers in China, Russia and several countries in Eastern Europe, OCR notes. "The motivation for this type of attack varies from collecting protected health information for sale and collecting data for intelligence-building and potential espionage, to stealing intellectual property from medical technology companies."
To mitigate the risk of nation-state attacks, OCR advises covered entities and business associates to refer to advice from the FBI that includes:
- Recognizing internal and external security threats to the entity's sensitive data and implementing a plan for safeguarding it;
- Confining access to an entity's sensitive data to a need-to-know basis;
- Providing training to employees about its data security plan and how to avoid email attacks involving phishing;
- Avoiding storing private information on any device that connects to the internet.
OCR also warns healthcare organizations to be on the lookout for emerging attacks targeting smartphones. "Patients, staff and third-parties of covered entities are using smartphones to interact with new healthcare applications and medical devices. Although smartphones have beneficial features, entities must ensure these devices have appropriate safeguards against cyberattacks," the guidance says.
OCR notes that the U.S. CERT advises organizations to mitigate the risks of a cyberattack on smartphones by implementing such security practices as:
- Enabling the password feature on mobile phone, as well as enabling encryption, remote wipe capabilities and antivirus software;
- Checking what permissions mobile applications require. If the permission seems beyond what the application should require, do not install the application;
- Setting Bluetooth-enabled devices to non-discoverable;
- Avoiding using unknown Wi-Fi networks and using public Wi-Fi hotspots;
- Deleting all information stored in a device prior to discarding it.
While the OCR updates include important information, OCR should consider other ways to draw more attention to the advice, Holtzman contends.
"OCR is missing an opportunity to provide meaningful assistance and updates to the healthcare sector with a monthly 'newsletter' on cybersecurity," he says. "The threats posed by cybercriminals evolve too quickly to justify this response from the front-line agency responsible for safeguarding American's health information privacy. A more effective approach would be to pass along the weekly bulletins and alerts provided by the US-CERT."