When cyber extortionists hit the Tennessee Orthopedic Alliance with a ransomware attack, the IT professionals at the sprawling healthcare system didn't know it at the time, but they had already protected their system.
The incursion by the now infamous "CryptoLocker" virus came two weeks ago and stung a medical assistant working at her PC at the Nashville-based group, which is one of the biggest orthopedic practices in the country, with more than 50 dedicated orthopedic physicians and surgeons.
The ransomware program -- which had disguised itself as a FedEx email message -- instantaneously disabled the computer and demanded escalating ransoms starting at $500.
But the victims never paid. They didn't have to, because CIO Rachael Britt-McGraw had built a system that instantly maps user documents to a central server so the material never resides on PCs, and the ransomware was quarantined to the infected computer. The terminal was later re-imaged, and no data was lost.
"This is truly a nasty, nasty virus," Britt-McGraw said. "It could have been anyone who got hit. It doesn't come into your environment unless one of your users invites it in with a click and the machine becomes completely and utterly inoperable."
Ransomware on federal HIPAA enforcer's radar
Meanwhile, this malicious new threat to medical data security has surfaced for the first time in a federal report on data breaches involving private healthcare information.
Ransomware has been getting mainstream media attention lately with attacks such as the one on the Tennessee orthopedic group. The Russian-based CryptoLocker – which was first identified in 2013 -- was believed to be shut down by federal authorities earlier this summer, but new strains of the ransomware program, such as CryptoDefense, have also cropped up around the world. An early variant of the new-school malware hit an unidentified healthcare IT user in 2012, according to a report from the U.S. Department of Health and Human Services Office of Civil Rights (OCR).
Interestingly, data breaches involving paper documents comprised only 12% of losses in 2012, down markedly from previous years.
While most breaches in 2012 involved theft of computers and other devices, the largest breach that year by far was from hacking, under which ransomware falls, according to the OCR's breach report. It involved an attack on an unencrypted network server containing protected health information (PHI) for 780,000 people. In a smaller but similar incident, the OCR reported that a HIPAA-covered entity discovered that "files containing PHI were corrupt and inaccessible, and later received a "ransom note" to restore access to the files."
Stu Sjouwerman, founder and CEO of KnowBe4, a Clearwater, Florida, firm that focuses on ransomware prevention training and consulting (and even offers to pay ransom for clients that get victimized) said ransomware can sting healthcare IT operations just as easily as any sector.
"As a criminal enterprise, [extortion is] several thousand years old, but ransomware is just a new version of an old threat," Sjouwerman said.
The ransomware program usually relies on ruses to get individual users to open malicious email or voicemail attachments, and most often attacks small- to medium-sized enterprises as a high-volume, low-cost strategy, which is why ransoms are relatively small.
Specialized employee training, accompanied by thorough and frequent data backups, can be the best defense against ransomware, Sjouwerman said. "The problem with backups is they fail a lot. People think they work, but they don't," he said.
When the ransomware extortionists strike, "you pay the ransom and you hope for the best," he said. Generally, the ransomware criminals follow through and unlock the data, Sjouwerman said. They are not interested in selling it, just collecting the ransom.
"Strangely enough, these guys are concerned about their reputations," Sjouwerman said.
HIPAA concerns get CIOs' attention
Provider CIOs have been most worried about losing patients' sensitive medical data in the kind of breaches that attract big, punitive fines from the OCR.
But threats posed by ransomware attacks have already grabbed the attention of some provider CIOs, including Shafiq Rab, M.D., CIO of Hackensack University Medical Center in New Jersey.
Rab said he believes theft of an unencrypted laptop -- or theoretically, a ransom demand on an organization that has not prepared for ransomware -- should be reportable and could result in HIPAA violation fines but only if PHI covered by HIPAA is exposed, he said.
"In my opinion, if the PHI is not affected, it's not a breach," he said.
Even so, "ransomware is [absolutely] a threat, not only on personal computers, but also on cellphones," he said, referring to the recent Australia-based ransomware attacks that locked up users' iPhones.
At the New Jersey hospital system, employees are trained not to open suspicious attachments, and employees' computers and terminals are disabled from downloading unapproved software.
"At our place, end users cannot install anything," Rab said.
Backups crucial to ransomware defense
Hackensack University Medical Center also encrypts and backs up all EHR data daily, and has started to use synchronous, real-time backups. And, if a mobile device is lost or stolen, Rab's staff can wipe it clean and restore information that was current to at least the day before.
Rab said he'd love to see full-time synchronous backup of all his data, but it's cost-prohibitive.
As for Britt-McGraw, her advice to other CIOs is, other than to pray for the best: Use a data mapping strategy similar to hers, and keep live data off remote terminals.
Decreased infection rates of CryptoLocker a temporary fix
Hacking demo at 2013 mHealth Summit simulates mobile risks
Top mobile healthcare applications prioritize security