When most people hear the term ransomware, they think of high profile healthcare attacks where patient files have been encrypted, or cities forced to pay a hefty ransoms in hopes of regaining access to systems. As harsh as these realities have been, there is a much deeper side to the potential impact of a malware infection. For organizations under obligations to meet HIPAA compliance, a malware attack can have fallout far beyond simply losing access to your systems. Leveraging new attack methodology, cyber criminals can expose, exfiltrate, and even publish patient data, adding the impact of HIPAA noncompliance to their list of risks.
Malware Has Evolved
In recent years, malware has taken on a number of forms and uses well beyond simply encrypting files and delivering ransoms. For example, it can be used as part of a multi-layered attack that may establish two-way communications between the victim’s systems and the attacker’s, allowing them to send executables and receive data. Additionally, credentials may be harvested while attackers are inside your systems, resulting in business email compromise (BEC), lateral navigation, and/or privilege escalation. You want to familiarize yourself with and think through all the possibilities, including the 3 most common methodologies used in these scenarios– malspam (spam emails that carry and deliver malware) campaigns, brute force attacks, and exploit of remote vulnerabilities. Collectively, these layered, typically longer attack types are termed “low and slow”, and they are definitely something to keep in mind when looking at the bigger picture of how you are going to protect yourself.
Among the more straight-forward attack types that can expose sensitive data using malware is extortionware, where attackers will access sensitive data sets through a malware attacks, then threaten to release that sensitive data publicly if their demands are not met. Of course, when you are dealing with criminals, you have to be prepared for the potential that sometimes your data will be released regardless of whether or not you meet attackers’ demands. Either way, the fact that malware can give criminals access to your most sensitive data sets should be worrisome enough to mitigate the risks, especially if you are under HIPAA compliance.
If your organization sends, receives, stores, or otherwise processes Patient Health Information (PHI), such unauthorized access and potential release of that data would put you out of compliance and could result in major fines. HIPAA is designed to protect patients’ rights, and having a medical condition or diagnosis released publicly could be catastrophic for any individual. So, this kind of scenario would most definitely gain the attention of regulators and auditors at the Office of Civil Rights (OCR), whose charge is to protect individual patients by holding violators of HIPAA compliance accountable. Especially in the midst of a pandemic, HIPAA violations and gaining the attention of the OCR is not an issue any healthcare organization wants.
What about antivirus?
The way traditional antivirus works is through signatures. Essentially, a signature is like a fingerprint or pattern associated with a malicious attack. For recognized attack types, including malware strains, signature-based malware detection software (antivirus) looks for these signatures in order to quarantine, block, or otherwise protect your endpoints from the known attack. The problem with signature-based technology is that attackers know you will be looking for them, so they are constantly evolving malware strains in order to evade detection. Further, they may find other avenues to get the malware delivered and executed that include approved behaviors and signatures to get in the door. In fact, some attacks are so advanced that they will even withstand sandboxing capabilities, and if attackers want to get into your systems, they will absolutely keep trying everything until they succeed. What many organizations are turning to now are solutions backed by 24/7/365 security operations centers (SOCs), like managed detection and response (MDR), extended detection and response (XDR), or security information and event management (SIEM) solutions. When backed by human security analysts in a SOC, these solution types are designed to identify behavioral anomalies, investigate unusual outcomes, and even leverage (government, public, and private) threat feeds to actively look for the presence of attackers in your environment based on what security professionals in various communities have seen happening elsewhere.
So, while having antivirus deployed on your endpoints is certainly better than doing nothing to protect yourself, you may still become the victim of a well-designed malware attack unless you have other ways to identify and remediate attacks that slip through the cracks.
In a 2021 healthcare provider’s facility, what are the risks of getting hit with malware?
A modern healthcare facility can have any number of avenues for attack, or attack vectors, and the pandemic has only widened people’s attack surfaces. For example, a hospital has countless, internet-connected and/or network-connected devices floating around, from laptops used to collect patient information in the ER, to iPads used by doctors and nurses, to desktop computers in every department, to smart patient monitors and infusion machines designed to be read and managed remotely. Then you have every single employee of the hospital who has an email address and could be the victim of malspam or phishing, and many of the nonessential teams, such as accounting or administration, may be working from home right now. Any employee working from home could be outside corporate security controls when they are not connected to the corporate network. For example, do they use their laptop for anything other than connecting to the network? If so, depending on how remote connectivity is engineered, there are likely to be times the machine is completely vulnerable and open to attack while connected to the internet.
In laboratories, equipment manufacturers, and other healthcare-related technology or service providers, those risks will look a little bit different, but the liability is going to be similar. No one wants to be the avenue for a supply chain attack, where cyber criminals use your technology or your company’s environment to get into your partners’ and/or clients’ environments, ultimately exposing or even stealing patient data. It’s bad for branding, bad for sales, bad for compliance, and definitely bad for your risk profile with investors. There have been instances in recent years where a cyber attack resulted in stock value drops, which is why a number of venture capitalists now require companies to achieve SOC2 compliance and validate their security before or soon after taking them on as an investment.
Finally, you have to think about medical practices. Doctors’ offices are notorious for doing the bare minimum on IT and security, focusing on functionality for their processes only and putting compliance efforts towards human training. Those things are still important, but with the addition of telehealth applications and new ways to use technology for remote treatment, cybersecurity and protecting those patient sessions or data being transmitted is likely not top of mind. So, while technology is helping prevent the spread of COVID-19 and helping to reach patients who would otherwise be at risk or unable to be treated in-person, their data may be absolutely exposed to attack. How many doctors’ offices, for example, use a professional 3rd party cybersecurity and compliance vetting process to evaluate those providers before implementing new technology and applications? I’m betting those numbers are very low, at best.
What does HIPAA require of organizations in order to protect PHI?
As defined by Health and Human Services, the HIPAA Privacy Rule and the HIPAA Security Rule establish a set of “national standards for the protection of certain health information”,
[including] health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Specifically, covered entities are required to:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Additionally, the HITECH Act of 2009 added business associates, or those who are contracted as partners and vendors working with organizations under HIPAA compliance requirements, to also comply with the same expectations for privacy and security. Through Business Associate Agreements (BAAs) these 3rdparties are under legal contractual obligation and can be liable if they are found to be out of compliance and/or negligent.
Differing from standards like those established in the Payment Card Industry (PCI), HIPAA is not prescriptive. In other words, it’s more about putting reasonable measures in place than about a specific set of standards everyone is required to follow. The benefit with this model is that organizations can evaluate the risks posed to PHI in their environment and implement security and privacy controls, including policies, procedures, and technologies, aligned to their size and the data sets they are collecting, storing, or processing. The downside to this model is that organizations often underestimate what it takes to truly secure all the places where PHI may live in their environment. There are a number of specific areas when it comes to HIPAA compliance and security/privacy, and while I won’t take a deep dive on that here, they include access control, device and workstation security, audit controls, transmission security, and more.
Getting back to the topic of malware, the reality is that when put under the OCR microscope, most organizations are out of compliance in one place or another. That’s why larger covered entities work with professionals who are able to help them identify and remediate gaps, and sometimes even communicate with the OCR on their behalf during an audit. They know that fines can be monstrous, and getting hit by malware will only trigger new reporting requirements and gain the attention of auditors. In short, malware can have a major effect on a covered entity’s HIPAA compliance standing, because the one thing they are tasked with protecting– PHI, is the one thing malware-related cyber attacks are likely going for.
How can people protect themselves against malware?
Putting measures in place to protect yourself against a malware attack is not only recommended, but essential as part of your ongoing cybersecurity and overall HIPAA compliance strategy. For detailed specifics, you can see a white paper some of my teammates and I recently put together to help you mitigate risk in your environment. It lays out a number of malware strains seen in the last year, addresses specifics around configurations steps to take, and a layered approach. I would recommend that as a starting place. You may also wish to consider monitoring and remediation solutions that makes sense for the size of your organization, your unique risks, your business partners or associates, your budget, and your data sets. Typically, these solutions will cost a covered entity far less than a cyber incident where PHI has been compromised.
If you would like to talk with someone about your organization’s potential risk, a HIPAA Risk Assessment, or how to better protect yourself against malware, you can request a consultation with one of our TRUE professionals.