An investigation into a November Metropolitan Urology ransomware attack has revealed that the attackers may have gained access to the protected health information (PHI) of almost 18,000 former patients.

The Metropolitan Urology ransomware attack occurred on November 28, 2016 and impacted two servers used by the medical group. While the ransomware successfully encrypted a wide range of files, it was not initially known whether any data covered by Health Insurance Portability and Accountability Act Rules had been accessed.

An external computer security firm was contracted to conduct an investigation, which revealed on January 10, 2017 that PHI was potentially accessed by the attackers. Names, procedural codes, dates of service, account numbers, control numbers, and other ID numbers were all potentially viewed. In total, 17,364 patients who had visited Metropolitan Urology centers for treatment between 2003 and 2010 were impacted by the Metropolitan Urology ransomware attack.

The Metropolitan Urology ransomware attack is the latest in a long list of ransomware attacks on U.S. healthcare providers in recent months. The healthcare industry is being extensively targeted by cybercriminals who know that healthcare providers are heavily reliant on data and need access in order to continue to provide medical services to patients. If patient data are encrypted and systems taken out of action, there is a high probability that a ransom demand will be paid.

However, in the case of the Metropolitan Urology ransomware attack, computers were recovered by the IT security firm and it would appear that a ransom was not paid. The same cannot be said of Hollywood Presbyterian Medical Center. In January, a ransom payment of $17,000 was made to recover files that had been encrypted by ransomware. Many other healthcare providers have similarly paid to have their data decrypted.

HIPAA and Ransomware Attacks

In July last year, following a spate of healthcare ransomware attacks, the Department of Health and Human Services’ Office for Civil Rights – which enforces HIPAA Rules – confirmed ransomware attacks are reportable security breaches. All HIPAA breaches must be reported to OCR within 60 days of the discovery of the breach and patients must similarly be notified of any incidents in which their PHI has been compromised.

A HIPAA breach is classed as “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.”

Not all forms of ransomware involve the exfiltration of data, but a ransomware infection still counts as a HIPAA Privacy Rule breach. OCR confirmed that the encryption of PHI does count at a HIPAA breach because the information has been disclosed to a third party.

Ransomware incidents are therefore reportable and warrant notifications to be issued to patients unless the covered entity can demonstrate there is a “low probability that PHI has been compromised.”

OCR suggests that the way to do this is to conduct a risk assessment and investigate the nature and extent of PHI that has been viewed, the individuals that may have accessed the PHI, whether the PHI was stolen or viewed, and the extent to which the risk to PHI has been mitigated.

The covered entity should also determine which malware variant was used and the algorithmic processes used by that malware to encrypt data. Demonstrating a low probability of a PHI compromise may therefore prove problematic for healthcare organizations, especially smaller healthcare organizations with limited resources.

Protecting Healthcare Computers from Ransomware Attacks

Protecting against ransomware attacks requires investment in a wide range of different solutions. Organizations can focus on preventing ransomware from being installed by blocking the main vectors used to spread infections. Spam filtering solutions can be highly effective at blocking email-borne threats. Preventing suspicious emails from being delivered reduces reliance on end users being able to identify emails as malicious and stops them from opening infected attachments and clicking on malicious links.

To block web-borne attacks, healthcare organizations can implement a web filtering solution to control the file types that can be downloaded. The solution can also be used to block websites known to contain malware or exploit kits. A web filter can be configured to prevent end users from accessing certain types of websites that carry a high risk of infection.

Endpoint security solutions can help to detect ransomware infections, allowing rapid action to be taken to reduce the extent of an infection. Computers and/or servers can then be isolated to prevent the spread of the ransomware to other connected devices.

However, since it is not possible to reduce risk of infection with ransomware to zero, organizations must ensure that data is backed up and can be recovered in the event that computers are encrypted. Multiple backups should be performed, and backup files should be stored on air-gapped devices and in the cloud.

For further information on protecting your organization from the threat of ransomware, contact the TitanHQ team today.