Hospitals and health systems across the country have increasingly reported sophisticated malware attacks, many of which seem to originate from groups in Russia, China, and eastern Europe. These attacks generally fall into one of two broad categories. The first is an intent by the criminals to obtain names, addresses, and social security numbers of patients, which are then sold on the black market for the purposes of identity theft. The second is ransomware, wherein the criminals attempt to infect an individual workstation in the health system with a computer virus via a phishing attack. Once established, a ransomware virus will encrypt the entire healthcare system’s patient accounting and other systems, preventing anyone from accessing them. The encryption can only be removed by the health system when they purchase a “key” from the hackers via untraceable bitcoin.

Ransomware attacks are becoming increasingly common. In fact, a health system in the South was almost completely shut down for more than a week in the fall of 2019 before ultimately having to pay off the hackers. A further concern deals with the architects of these malware programs selling the software on the dark web and retaining a portion of the ransom paid as a “commission.” This process essentially transforms any low-level, would-be hacker into a sophisticated operator.

The sensitive nature of patients’ health records makes healthcare providers prime targets for a data breach. Additionally, both the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) codify the procedures that healthcare providers must follow to safeguard their patients’ health information. These organizations also impose substantial penalties for noncompliance or loss of patients’ protected health information.

Although malware attacks seem sophisticated, and the results are extremely costly to the victim, they are not difficult to employ. In fact, they are often triggered by something as simple as an employee opening an email or attachment that, unbeknownst to the employee, installs malware software.

So, how should a healthcare company prevent these malware attacks? Installing anti-virus and anti-spyware software is necessary, but only part of the solution. Malware developers are usually one step ahead of the anti-virus software creators. These types of developers understand the parameters of the software and create ways to circumvent them. Additionally, anti-virus and anti-spyware software are entirely dependent on the user correctly installing the software and keeping the licenses up-to-date.

With this in mind, the most critical step a healthcare entity can take is to conduct an annual global IT risk assessment of the health system—including an in-depth consideration of vulnerabilities, supplemented by penetration testing and frequent employee education.  Furthermore, back-up procedures must be implemented and followed. As in the case of a ransomware attack, the only way to move forward without paying the ransom may be to wipe the system clean and start over from the last back-up.

CRI can Help Protect You from a Healthcare Data Breach

When it comes to completing HIPAA and HITECH risk assessments, finding the right team with a range of expertise is crucial. These evaluations are designed to identify weaknesses in security procedures. Once potential vulnerabilities are discovered, recommendations can be provided for controls to reduce the risks and potential costs of data loss. CRI’s cybersecurity advisors hold a variety of credentials, including Healthcare Certified Information Systems Security Professionals (HCISSP) and Certified Information Systems Auditors (CISA). Learn more about how CRI’s healthcare CPAs may be able to assist your healthcare organization at any size.