This week, Hollywood Presbyterian Medical Center made national news after hackers shut down their computer system and demanded $3.4 million in bitcoins in ransom to unlock it.
This meant the hospital was without access to electronic medical records. The hospital ended up re-gaining access to its computer systems after paying $17,000 in ransom, a fraction of what was demanded by the hackers. Despite the significantly reduced ransom, the incident was a disruption, to say the least.
MPA spoke with Montez Fitzpatrick, Director of Information Security and Compliance for Keystone IT, about what providers can learn from this incident.
MPA: Help us understand “ransomware.” How does it work?
Montez: Ransomware is a relatively new style of attack vector for malware writers. In short, it is an application which uses system security against the system owners. Ransomware in its contemporary form, will iterate through file and folder drives and shares, systematically encrypting those objects rendering them unusable unless you have the secret key. The only way to obtain the secret key is to pay the ransom, often in the form of bitcoins, to a specified address with the hopes that they will send that secret key in return.
MPA: How likely is it that a provider could experience a ransomware attack?
Montez: There are a lot of factors which go into this calculation; mostly it is all due to the training and security awareness initiatives the provider has in place to combat incidents such as mail and their attachments from unknown sources, which is one of the most prevalent origin paths for this type of attack. It is unlikely that any one person can be the cause of an infection. Multiply that by the number of workforce members and it becomes increasingly likely. This is true for a blanket style campaign; the reality will be much different for a targeted attack. It would have a much higher success rate.
MPA: Can providers do anything to prevent a ransomware attack – or mitigate the damage?
Montez: Yes, the simplest way to begin to mitigate the damage would be to have a genuine business continuity and disaster recovery philosophy, which of course includes addressing system criticality, backups and retention, as well as assuring that all workforce members and third parties have least privilege (or "minimum use" as referred to by HIPAA standards) access.
MPA: What HIPAA risks are at stake?
Montez: All of them. HIPAA is a regulatory "floor," it is a starting point for providers to begin to understand how protected health information should be protected. The HIPAA Security Rule in particular, is predicated on the provider understanding risk. Providers who don't have a risk analysis strategy or risk management program cannot adequately address the HIPAA Security Rule. To be clear, that is not to say that they don't have good security; since being HIPAA-compliant and having "good" security may not necessarily be the same thing. Procedurally, an ad-hoc risk management strategy can be vulnerable.
MPA: What is one next step providers should take now in response to this incident?
Montez: Each provider should look at their risk management program and decide if it is adequate. If you have some technical knowledge holes, you need to find someone reputable to assist you in bolstering that knowledge. One of the first issues should be to look at and define what is critical to your organization; moreover, also document the dependencies of those critical systems. Then define how much loss of that system you can tolerate and how long your organization can survive without that system before it becomes irreversibly detrimental. Create mitigating steps to bridge whatever is your present-day reality to that point at which the organization can accept that risk.
Thank you, Montez.