Doctors Decide to Retire Rather Than Pay Ransom or Restore Systems
A small Michigan medical practice that plans to permanently shut down in the wake of a recent ransomware attack is an example of the devastation that can result from a serious cyberattack.
The two-doctor practice lost access to patient medical records, billing, scheduling and other critical data after ransomware attackers encrypted the data. Rather than pay a ransom to get a decryption key or attempt to restore the data, the physicians decided to retire early and close down the practice for good.
The decision to shutter Brookside ENT and Hearing Services, based in Battle Creek, Michigan in the aftermath of the attack appears extreme, some security experts say. But it’s an example of the distress many healthcare entities – especially small and mid-sized providers – are facing as ransomware attacks continue and hackers become more sophisticated.
When it comes to the kinds of cyberattacks hitting entities, “ransomware is number one right now. It’s getting uglier out there, not better,” says technology attorney Steven Teppler, a partner at the law firm Mandelbaum Salsburg P.C.
“The option to close up shop and not pay the ransom neither absolves legal responsibility either under HIPAA … or [from] a negligence/unfair business practice legal action.”
—Attorney Steven Teppler
While ransomware attacks are menacing entities across all industries, “healthcare organizations are perhaps the lowest hanging fruit because of the immediacy and severity of the effects – inability to treat/diagnose patients, which in turn can endanger health,” he says.
A recent report by specialist insurer Beazley found that healthcare was the sector most targeted by cybercriminals in 2018, based on a study of its clients.
But while smaller healthcare entities that have more limited security resources appear to be among the most vulnerable, entities of all sizes are being targeted, including those with deeper financial pockets, Teppler says.
“Ransoms are easily reaching into the six-figure range. The criminals are basically doing their homework on what a business does, and looking at its size and financials metrics,” he says. “If you say, ‘We don’t have money,’ the attackers will say, ‘You have a lot of money; we checked.'”
The attackers that hit Brookside ENT and Hearing Center demanded a $6,500 ransom for the decryption key, according to local news site WWMT West Michigan.
But rather than pay the ransom or try to rebuild its systems from the ground up, the practice’s two main physicians decided to retire early, according to WWMT.
A Brookside ENT and Hearing Center office worker who answered the phone on Tuesday confirmed to Information Security Media Group that the practice was shutting down permanently, tentatively on April 30, due to the impact of the ransomware incident. She declined to discuss other details. Efforts by ISMG to reach the practice’s two doctors for comment were unsuccessful.
“Sometimes the cost of recovery can be staggering for small entities,” says Mac McMillan, president of security consulting firm CynergisTek.
He suspects other small healthcare entities have shut down or taken other dramatic steps after devastating ransomware attacks. “It does happen more times than you hear of publicly. Most absorb the cost as best they can and rebuild or look for an opportunity to merge or be acquired,” he says.
But even if a victim of ransomware decides to call it quits, as Brookside ENT and Hearing Center has done, that doesn’t relieve it from its regulatory obligations to safeguard patients’ records, Teppler says.
“The option to close up shop and not pay the ransom neither absolves legal responsibility either under HIPAA – which may categorize a ransomware attack as a reportable security incident – or [from] a negligence/unfair business practice legal action,” he says.
“It also speaks to a poor data protection/backup policy, which can add accelerant to legal action. As to the doctors who just shut their doors, the failure to maintain either the availability or integrity of PHI – assuming that patient records were not in paper form – in my view, clearly invokes HIPAA proscriptions and could lead to regulatory investigation from [the Department of Health and Human Services’ Office for Civil Rights]. “All it takes is a complaint from one of their patients.”
It’s wrong to assume that a ransomware attack does not qualify as a reportable data breach under HIPAA because personally identifiable information or protected health information was not exfiltrated, Teppler notes.
“Unless a thorough cyber forensic analysis is undertaken, the possibility exists that an additional infiltration and exfiltration of personal information has taken place, and that the cybercriminals are taking two bites of the apple,” he says. “It would be a mistake to merely assume that no exfiltration had taken place when a ransomware attack has occurred.”
In fact, in 2016, OCR issued guidance advising covered entities and business associates that in most cases, ransomware attacks qualify as reportable health data breaches under HIPAA.
Ransomware attacks also have had a major impact on some much larger healthcare organizations.
In some attacks, organizations have had to postpone, divert or cancel patient services as entities struggle to recover from attacks.
Also, some experts worry about the potentially serious patient safety impact of ransomware attacks affecting medical devices.
“This means that healthcare entities will need to really spend time and money to segment their networks to protect these devices, since it will be several years before medical devices in general are stronger against cyberattacks,” notes former healthcare CISO Mark Johnson of the security consultancy LBMC Information Security.
So how can healthcare entities avoid the devastating outcomes from ransomware attacks?
“Incorporate a backup regime that includes ‘cold’ backups that are not connected to the network, so that if some of the more sophisticated ransomware attacks kill off an entire network … you have some backup to restore, even if there is some data lost – days or a week’s worth instead of years,” Teppler says. Entities should also test backups on a routine basis – and consider obtaining cyber insurance, he adds.
McMillan offers other advice: “Encrypt, apply multifactor authentication, protect your endpoints, monitor your network and educate your users.”
Date: April 09, 2019