Hollywood Presbyterian Hospital in Los Angeles, California recently made news when it was forced to pay forty bitcoins – that’s about $17,000 USD – to regain access to its electronic medical health records. Hackers seized control of the hospital’s computer systems and would only give back access when the money was paid. The hackers used malware to infect the institution’s computers, preventing hospital staff from being able to communicate from those devices.
Federal records show that since 2010, at least 158 institutions, including medical providers, insurers and hospitals, have reported being hacked or having information technology issues that compromised patient records. Cyber attacks on medical facilities have become more common in recent years as hackers pursue personal patient information they can use for fraud schemes.
In fact, a few days prior to the attack on Hollywood Presbyterian Hospital, the Office for Civil Rights (OCR) released an email on ransomware and preventing ransomware infection as part of its cyber security awareness initiative. Ransomware is a type of malware that can infect systems, encrypt files, or otherwise block users from their data until the institution or person pays a ransom to regain access. As with any malware, the avenue of attack can be email, open remote connection ports, and more.
As hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, jeopardizing both medical facilities and patients. Focusing on technical cyber security protection, workforce training, and comprehensive risk analysis and management will enable covered entities and business associates to better withstand attacks and reduce vulnerabilities.
When focusing on cyber security protection, an organization must assess its current security measures and risks, and develop an implementation plan accordingly. Technical security measures and solutions must be reasonable and appropriate for the organization, with the decision for each solution documented and rationalized. This typically includes using authentication controls to verify that the person signing onto a computer is authorized to access that personal health information, or encrypting and decrypting data as it is being stored and/or transmitted. Security measures and documentation should be reviewed periodically to ensure they reflect environmental and operational changes that can affect the safety of patient data.
In addition to technical protections, workforce training is the second line of defense against malware, such as ransomware. In fact, the HIPAA Security Rule requires security awareness and training for workforce members of covered entities. Regular bulletins with short examples of malware attacks or guidance on assessing and responding to malware incidents, along with training focused on recognizing malware and emphasizing best practices in email and Internet security, will help protect healthcare providers and organizations against successful malware attacks.
The importance of risk analysis and management plans cannot be overstated. A proper risk analysis will identify any gaps in device security and server security, making sure that a medical facility or business associate is not vulnerable to attacks by hackers via malware.
Caitlin Morgan provides Cyber Liability insurance solutions to a broad spectrum of industries, including healthcare, one of our core competencies. We can design policies for your insureds that include first- and third-party coverage as well as cyber extortion reimbursement for perils including credible threats to introduce malicious code; pharm and phish customer systems; or corrupt, damage, or destroy the computer system. Give us a call at 877.226.1027 to learn more about our solutions.