Imagine your marriage and family therapy practice being live broadcast. That’s what happened to a dental practice in Toronto who learned that their practice activities were being live-streamed in Russia, on a site called “insecam.org”, unbeknownst to staff and the clients captured on their security camera. What happened was that the practice had installed a wireless security camera system after a break-in, but left the default password intact, enabling the Russians to access the live-feed, and stream everything that occurred in the office—which included patient and staff activities, but also clear access to private information on computer screens. The surprised dentist has since secured the cameras and the live-feed has thankfully ceased (Russel, 2017).
Don’t have a security system in your office? How about a printer? In the UK a bored teen hacked 150,000 printers, leaving them with artwork and a message that said “"For the love of God, please close this port” (Matthews, 2017). Your office printer that you left the default password on can invite a hacker in to see everything you have scanned, copied, or printed on it. Hackers can look at IP addresses within a network, scan all the devices, and find holes in the security and default passwords (Attwell, 2016).
Now imagine that you log in to get your client records, only to be faced by your computer screen informing you that your client data has been encrypted, stolen, and if you want it back you must pay $1,300. This is exactly what happened in a small Midwest mental health organization who later became our client. All of their client records were held for ransom, and because they had not taken security precautions, had no choice but to pay the ransom to get their client records back.
Cybercrime is on the rise, and is changing daily. Ransomware has become an all-too-common occurrence. Ransomware is a type of malicious software which attempts to deny access to a user’s own data, by encrypting the data, with the hacker holding the decryption key until the ransom is paid. Users will typically encounter a screen which gives them the directions for paying a ransom to retrieve their data, often in a crypto-currency such as Bitcoin which is not trackable. It is uncomfortably common in health care settings, including mental health care. Hollywood Presbyterian Medical Center in California was locked out of its electronic health records for a week, and providers were forced to revert to pen and paper until the hospital finally was forced by pay the requested ransom to hackers. An electronic health record vendor themselves, Greenway Health who provided 400 client organizations with electronic health records was also hit with ransomware, forcing their clients to revert to manual processing of health records, while they worked to restore access to the cloud-hosted systems (Davis, 2017). If you are hit with ransomware of unsecured data, you must also report the breach to the Department of Health and Human Services.
So, what can you do to prepare? HIPAA compliance can go a long way in helping you fight against ransomware and other threats to your protected health information. Some HIPAA requirements that can specifically assist in thwarting cyber-attacks include:
Perform (and re-preform) the Security Risk Assessment (45 CFR 164.308(a)(1)(ii)(A)). If you have not done your HIPAA-required Security Risk Assessment, you are out of compliance with the most basic HIPAA regulation of all. The Security Risk Assessment is the cornerstone of your HIPAA compliance program. The HIPAA security regulations require all covered entities and business associates to conduct an accurate and thorough Security Risk Assessment (SRA) wherein you evaluate all the potential risks to the confidentiality, integrity, and availability to your electronic Protected Health Information (ePHI). Your HIPAA policies and procedures are then crafted with your specific risks and vulnerabilities in mind so that you can best protect your data. The Department of Health and Human Services provides tools for the security risk assessment, and it is recommended that the security risk assessment be done according to standards set forth by the National Institute for Standards and Technology (800-30 v2). The SRA should be done at least annually, and updated whenever you experience a security incident or breach. If you go to HHS.gov and look at their breach reporting, you will find that nearly every large fine rendered, the covered entity or business associate had not performed the required Security Risk Assessment.
Install Anti-Malicious Software Updates and Security Patches Regularly (45 CFR 164.308(a)(5)(ii). Antivirus software and software firewalls and all software should be installed, with regular patching and blocking occurring. Default logins and passwords should be removed from your IT system, unnecessary services disabled, and ownership permissions set. For larger organizations, network vulnerability scans on systems containing or accessing ePHI should occur, and intrusion detection software considered. In 2014, Anchorage Community Mental Health Services (ACMHS) paid $150,000 fine to the Department of Health and Human Services because they suffered a breach whereby the protected health information of 2,743 individuals was compromised in a security incident. They both failed to do the required security risk assessment, but also failed to identify and address basic risks, such as updating their IT resources with available patches; the Office for Civil Rights (who investigates HIPAA breaches) found that they were running outdated, unsupported software. Then OCR Director Jocelyn Samuels warned that “Successful HIPAA compliance requires a common-sense approach to assessing and addressing the risks to electronic Protected Health Information on a regular basis.” (Health and Human Services, 2014).
Have Security Incident Response and Reporting (45 CFR 164.308(a)(6)(ii)) planning in place. What is your course of action, plan to mitigate the damage from a cyber-attack? For ransomware, it is recommended that you immediately disconnect WIFI and unplug the affected computer from the network. Be sure you document your response to any security incident.
Be Certain you have a Workable Contingency Plan (45 CFR 164.308(a)(7)(i) in place to respond to the emergency of ransomware. This typically will mean having a way to operate via a backup system, or using paper records while your EHR system is restored.
Have a Data Backup Plan (45 CFR 164.308(a)(7)(ii)(A)) and be sure your backup your system, with sufficient redundancies (i.e. so you have sufficient backups to find a “clean” backup that will not be infected by the ransomware, so that you can create retrievable, exact copies of your ePHI in the event of an emergency such as a ransomware attack. Backups should be kept off premises (or cloud-based). Know what your critical data is that you will need to have restored quickly to remain operational.
Test and Revise your Procedures (45 CFR 164.308(a)(7)(ii)(D). Be sure you have tested your revision procedures so that you know they work. Each workforce member should understand their role in the plan should your system go down. Policies and procedures should be revised as needed.
Provide Workforce with Security Awareness Training (45 CFR 164.308(a)(5). Ransomware threat vectors exploit the human element; every practice needs a training program that ensures everyone with access to ePHI is trained in ways to reduce the risk of improper access, use, and disclosure of ePHI. This includes information on various forms of phishing and other cyber risks they may encounter. Most ransomware gets installed by an unsuspected user clicking on phishing bait in an email; educate your workforce to these risks! (Be sure to keep training logs and materials for the required 6 years). Ensure your workforce know what do to if a malicious event occurs.
Manage Passwords (45 CFR 164.308(a)(5)(ii)(D). Be sure staff are not sharing passwords, and have policies and procedures in place for creating, changing and safeguarding passwords. Users should know how to create and safeguard a secure password. Password sharing, writing down of passwords, and passwords known to others should be prohibited.
Consider a Network Vulnerability Scan and penetration testing (45 CFR 164.306(a)(2)). While the HIPAA regulations do not explicitly require you conduct a network vulnerability scan or penetration testing, the regulations do require you to “Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.” Larger organizations in particular should consider this action. Clearly, the rapidly growing number of ransomware attacks leads us to conclude that it is reasonable to expect such an attack. OCR has also published guidance that they classify any successful ransomware attacks as a breach, giving more credence to the need to conduct vulnerability scans and penetration testing. In addition, NIST has issued a recommendation for HIPAA that says, “Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities.”
These items should already be part of your HIPAA compliance, but as threats evolve, each entity’s security risk management plan must be re-evaluated with the new threat landscape considered. It requires all of us to stay on our toes with evolving threats to the security of ePHI. Having strong HIPAA compliance means updating your Security Risk Assessment at least annually, whenever you have a breach, or when new threats to your ePHI are identified. While it is hard to stay abreast of all threats, we need to keep our ear to the ground and stay vigilant as more threats and vulnerabilities to ePHI are exploited by the cyber-criminal element.
References
Davis, J. (2017, April 28). Greenway Health hit by ransomware attack. Healthcare IT News. Retrieved from http://www.healthcareitnews.com/news/greenway-health-hit-ransomware-attack
Health and Human Services (2014). HIPAA settlement underscores the vulnerability of unpatched and unsupported software. Retrieved from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/acmhs/index.html
Matthews, L. (2107. Feb. 6). Hacker forces 150,000 printers to print a warning to their owners. Retrieved from https://www.forbes.com/sites/leemathews/2017/02/06/hacker-forces-150000-printers-to-print-a-warning-to-their-owners/#163a6c2c5549
Russell, A. Russian website streaming hundreds of cameras in Canada, experts warn your connected devices could be at risk. Global News. Retrieved from https://globalnews.ca/news/3900530/canada-unsecured-surveillance-cameras-what-you-need-to-know/
Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified: HIPAA Compliance for Mental Health Professionals (2016). She is a professor emeritus n the MFT program at Purdue University Northwest, and director of educational services at Carosh Compliance Solutions in Crown Point, Indiana. She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association.