This article was written by Joe Wivoda, CIO of the National Rural Health Resource Center/Rural Health Innovations.
The news is filled with stories of health care organizations that have had their data held hostage by hackers. Sometimes they choose to pay the ransom, sometimes they don’t. Regardless, the damage has been done because it is still a breach of Protected Health Information (PHI) and often needs to be reported to the Office of Civil Rights (OCR) as well as local media. Of the 168,000,000 reported breaches in the OCR database, 126,000,000 list hacking or IT as a factor. Clearly we have to take malicious software, known as “malware”, seriously.
What are the threats?
Malware comes in many forms, from computer viruses, worms, Trojan horses, spyware, adware, scareware and who knows what else! Ransomware, where a user is usually tricked into allowing a malicious program or web page encrypt and hold their data files hostage are getting a lot of attention and causing a lot of stress on IT leaders. Many of these attacks are difficult to stop with traditional AntiVirus software. Some use “social engineering” to convince a user to click on the malware and enable it.
“Warning! Your PC is infected. Click here to clean your PC NOW!”
This is not a virus warning, this is likely a malware attack, perhaps even ransomware!
How do you protect yourself?
Of course every computer on your network needs antivirus, but it is much more than that. In an environment with many computers, which includes all rural hospitals and many other rural providers, it can be difficult to manage all of the updates without central management of the antivirus software. Further, antivirus software will only stop so many threats. Some will get through even with a well-managed antivirus package running, it just depends on how well the users are trained and aware that they are targets!
That message that says “your computer is infected, click here to repair it” might as well say “feel free to click this and we will charge you money to get your data back” because that is one of the likely results. All organizations, including rural health care facilities, need to protect themselves in several ways:
The best intentions and efforts to protect your facility do not mean you won’t get caught by one of these nasty programs! Ransomware in particular seems to be showing up everywhere, and you have to be ready to respond when it does happen (see that mention of “incident response team”? That’s important!)
What if you are a victim of ransomware?
Many rural hospitals and clinics have been hit by ransomware in the last year. CMS and the Office of Civil Rights (OCR) have determined that if Protected Health Information (PHI) has been encrypted then it has been “acquired”. That is a key term! “Acquired” means that it is considered a data breach under HIPAA and needs to be reported.
Do you pay the ransom or not? Either way you will need to report the data breach and offer identity theft protection services to the patients affected, so it becomes a question of cost-benefit analysis. If the ransom is low enough, it may be less expensive than doing a full restore of the data (you do have good, well-tested backups, right?). Even if you pay there is no guarantee that the data-kidnapper will release the data. Now that you have agreed to pay, why wouldn’t you pay a little more? For these reasons most experts feel you should not pay. Estimate what the costs in time, money, patient safety, and other factors are before making the decision to pay the ransom or restore the data.
Rural IT leaders and others need to be aware of the risks that malware presents and understand how to mitigate those risks. The HIPAA regulations provide good practices, like risk assessment and incident response teams, that will protect your network but they need to be put in place. It is very hard in a rural setting to get everything done, particularly when most CAHs and RHCs have limited staff. It is necessary in most cases to use outside experts, at least to some extent. Talk about these threats with your end users and leaders, because they are the front lines in safeguarding your precious PHI!
Fact Sheet: Ransomware and HIPAA
Health IT Playbook
The National Rural Health Resource Center (The Center) is a nonprofit organization dedicated to sustaining and improving health care in rural communities. Rural Health Innovations, LLC is a subsidiary of the National Rural Health Resource Center.