Question

Why are areas of a healthcare system particularly vulnerable to ransomware and should be especially protected?  What might patients do to ensure their information is safeguarded?

Answer 1

A health system, also sometimes referred to as health care system or as healthcare system, is the organization of people, institutions, and resources that deliver health care services to meet the health needs of target populations.

1. The term ransomware refers to a type of malware used by attackers that first encrypts files and then attempts to extort money in return for the key to unlocking the data by demanding a ransom. These ransoms are most often requested in the form of bitcoins, a type of cryptocurrency. Because of the ability of bitcoin to make transactions accessible while protecting the anonymity of those involved, it has become the preferred currency for criminal activity, including that of ransomware hackers.

Ransomware is typically spread through fake emails that have been designed by the hacker to appear legitimate. These emails may contain a link to an infected website or include an attachment such as a Word document that contains macros. Once a link is clicked or a document is opened, the malware is downloaded and infects the machine quickly: estimates vary from secondsto 20 minutes. During this time, the malware searches the hard drive, network files, external drives, and cloud drives for all data that can be encrypted. After encryption, an electronic “key” is required to unlock the files; this key is saved by the hacker and is not released until the victim pays a requested amount or ransom.

Before 2016, healthcare organizations were not thought to be a primary target for ransomware.However, hospitals had become the target of ransomware and a total of 173 hacking/information technology (IT) incident data breaches had been officially reported by October 16, 2016,  Hospitals have become an easy target for hackers for two reasons:

(1) The necessity of computer storage of information associated with patient care (e.g., electronic medical records) and

(2) The security holes in IT systems.

In fact, a report from Ponemon Institute in 2016 stated that 89 percent of healthcare organizations suffered at least one data breach involving the loss of patient data over a two-year period, and 45 percent had more than five such breaches. Also, the frequency of successful hacking of patient medical files increased from 55 percent in 2015 to 64 percent in 2016. When hit with ransomware, some hospitals have been desperate to pay the ransom because of their need for the most up-to-date information, such as drug interactions, care directives, and medical history, in order to provide critical care to patients. Accordingly, the healthcare industry is now considered to be at a substantial risk of a ransomware attack,mainly because it trails other leading industries in securing vital data.

Hackers have found it easy to attack hospitals with ransomware because of hospitals’ rapid adoption of IT without a concomitant increase in the number and sophistication of IT support staff. This IT adoption occurred after the government allocated funds for the Meaningful Use program, which encouraged the use of electronic health records (EHRs). With the Meaningful Use incentives, EHR utilization increased from 9.4 percent in 2008 to 96.9 percent in 2014.

When ransomware accesses patient data, cyberattacks on healthcare facilities become a much more significant problem.If a server or computer is not encrypted at rest and information is encrypted only during incoming and outgoing transactions, a ransomware virus could exploit this vulnerability and copy the information on the server. If this were to happen, the provider would be open to all the previously mentioned costs in addition to the cost associated with HIPAA data breach violations. In recent years, the number of cyberattacks on personal health information stored on the computer systems of healthcare facilities has been increasing rapidly; for an exhaustive review of recent ransomware attacks involving the unauthorized theft of patient health information.

Although the extent of illegally obtained patient health information collected varies by institution and by attacker, most facilities noted the loss of patient names, addresses, telephone numbers, email addresses, dates of birth, IP addresses, marital status, race, provider information, patient Social Security numbers, health insurance numbers, and mental or health condition or treatment information. In 2016, 34.5 percent of all identity thefts occurred as a result of breaches through the healthcare sector, second only to the business sector, which accounted for 45.2 percent of identified violations. However, the number of identity theft breaches associated with the healthcare sector has grown more quickly than in any other industry for every year.

The number of ransomware attacks and variants has increased substantially in recent years. Healthcare facilities have become a significant target for these attacks, and in response to this increase, it is crucial that they develop a proper disaster recovery plan and adequately educate their users on information security. With proper planning in place, a healthcare facility is not only more likely to survive an attack but also more likely to decrease costs associated with an attack and to mitigate the risk to its reputation.

10 steps that healthcare organizations can take to safeguard ePHI and ensure HIPAA and HITECH compliance as cloud computing evolves more fully into an industry mainstay.

1. Secure transmissions. One of the greatest points of security risk occurs when data is "in flight" from one provider to another via public or private cloud. Healthcare facilities should use a minimum of 128-bit encryption. Preferably, they should achieve advanced levels of AES 256-compliant encryption to safeguard sensitive data and the channel during transmission.

2. Perform annual risk assessments. Other highly regulated industries, like financial services, are required to conduct regular audits to ensure ongoing compliance. However, many healthcare organizations overlook this important step. With the growing adoption of cloud computing, organizations should consider hiring a third-party consultant to conduct thorough risk audits on an annual basis. These consultants can also implement ongoing monitoring tools to raise red flags instantly if potential security issues arise.

3. Enhance breach notification processes. Today, most breaches come to light when someone in the organization stumbles on one or more, or the media reports it as part of their headline-grabbing news stories. Only a small minority of facilities have sufficient breach-notification processes and alerting tools in place. That needs to change. Generally available monitoring software can instantly notify the appropriate security authorities immediately if or when a breach occurs.

4. Segregate data. In the event that systems are hacked or another security failure occurs, organizations must have additional layers of protection in place. Using control compliance tools, enterprises can isolate confidential data and store it in a scrambled or "garbage" format. That way, if hackers or other unauthorized persons get into the system, the data cannot be read in the original (or meaningful) format.

5. Implement user and session reporting. It's critically important to capture detailed data about users' logins and logouts, including time, number of successful and failed logins and the files accessed. HIPAA-compliant event or "sys log" tools can proactively monitor and analyze employee logins to EHRs and other systems to flag potentially unauthorized activities.

6. Beef up physical security. Besides virtual security, organizations must put controls in place to prevent physical breaches. Using SAS 70 Type II-compliant data centers can mitigate risk and ensure ePHI security. SAS 70 Type II compliance offers an extra level of security for video surveillance, access badges, biometrics and multiple layers of security authentication before access to ePHI is granted. Additionally, the multiple layers of authentication and access control provide the ability to audit, and audit logs should be reviewed routinely to identify unauthorized attempts and ensure that the appropriate security measures are in place. Last, these data centers are constructed to withstand natural disasters such as fires, hurricanes and earthquakes.

7. Establish clear access control policies. Health facilities should document and keep an up-to-date log of authorized insiders, including employees, providers and others who have access to ePHI. That way, security officials can quickly investigate if they suspect an insider was involved in a data breach.

8. Restrict areas where ePHI is stored. To provide extra layers of security, facilities should lock down servers and restrict areas where patient data is stored.

9. Adopt backup, disaster recovery and operational crisis plans. Encrypt all data stored in onsite locations as well as those backed up offsite. Take steps to ensure clear procedures and trained personnel are in place if a crisis or disaster occurs.

10. Protect data stored on a network. Many breaches occur when a single laptop is lost or stolen. Organizations can install security mechanisms to encrypt laptops and other devices should they fall into the wrong hands.

2. The bioethics principle of respect for persons also places importance on individual autonomy, which allows individuals to make decisions for themselves, free from coercion, about matters that are important to their own well-being.

There are a variety of reasons for placing a high value on protecting the privacy, confidentiality, and security of health information.

The more common view is that privacy is valuable because it facilitates or promotes other fundamental values, including ideals of personhood such as :

• Personal autonomy (the ability to make personal decisions)
• Individuality
• Respect
• Dignity and worth as human beings