- Type of attack: Ransomware attacks targeting healthcare providers
- Attack vector: Unconfirmed, but signs point to open remote desktop protocol (RDP) ports
- Damage/costs: A combined 352,744 patients have been informed their protected health information may have been compromised
Three healthcare providers just pulled off textbook recoveries from ransomware. They still may be facing law suits and millions in fines.
In the immediate aftermath of the attacks, everything went right. The infections were detected quickly. Compromised servers were immediately isolated and taken offline. Data encrypted during the attacks was successfully recovered from secure backups — not from negotiating with criminals.
It was exactly how you would hope responding to and recovering from a ransomware attack would go. Except for one big problem.
While no data had been irreversibly lost, no one could rule out the possiblity that it had been viewed or exfiltrated. And because the targets of the attacks were healthcare providers, that created a very serious issue. Systems containing the protected health information (PHI) of their patients had been compromised. By law, they were required to let them know.
As a result, the three victim organizations — San Antonio-based ABCD Children’s Pediatrics, Urology Austin, and Milwaukee-based Metropolitan Urology Group — found themselves forced to notify a total of 352,744 patients to alert them that their personal data may have been exposed.
They issued press releases. They set up call centers to field questions about the breach. They offered to foot the bill for free credit monitoring and/or identity theft resolution services for up to a year. And all three reported the incidents to the U.S. Department of Health and Human Services (HHS), as required under HIPAA.
The cost of compliance? Because each incident affected 500 or more patients, they are now each publicly listed on the HHS Office for Civil Rights (OCR) breach portal — affectionately known in HIPAA circles as the "Wall of Shame".
In addition, the HHS will be investigating these breaches to determine whether they will issue any corrective actions or monetary fines. In the first three months of 2017 alone, the HHS has collected a total of $11,375,000 in fines from organizations judged to be noncompliant, at an average of $2.8 million per fine.
Facing those steep consquences, the fact that everything went right in terms of detecting and responding to the attacks is cold comfort. The practices' security tools may have successfully addressed the infections after the fact , but considering the big picture, it's impossible to see these three incidents as anything other than extremely damaging failures.
What went wrong: A closer look at all three attacks
ABCD Children's Pediatrics
- Attack date: February 6, 2017
- Notified patients: March 26, 2017
- Number of patients affected: 55,447
Despite employing a variety of security solutions designed to prevent attacks, including network filtering, firewalls, and antivirus, ABCD's servers were successfully infected with malware later identified as Dharma ransomware.
While it's unclear from the provider's press release exactly how the ransomware infection was initiated, signs point to a brute force attack targeting an open remote desktop protocol (RDP) port. Both Dharma and its "parent" variant Crysis ransomware have been increasingly tied to these attacks, which scan for open RDP ports and attempt to gain access by guessing weak or common username and password combinations.
The timing of a recent spike in these attacks is a fit, as well. According to researchers at Trend Micro, brute force RDP attacks distributing Dharma and Crysis doubled in January 2017. The most consistent target? Healthcare providers in the United States.
Distribution of RDP ransomware attack victims. Source: Trend Micro
ABCD's intrusion detection system (IDS) helped to provide an early alert of the attack, which enabled their IT provider to act quickly and take the infected servers offline. Later, the IT provider was able to successfully replace all of the encrypted data with uncompromised backup data.
While investigating the incident, however, it was determined that attackers may have had access to the servers for a limited period of time (extremely likely if it was indeed an RDP attack). Though there was no direct evidence that confidential patient information was actually acquired or removed during the attack, ABCD could not rule out the possiblity. That was enough to require them to notify all affected patients as well as HHS of the potential data breach.
- Attack date: January 22, 2017
- Notified patients: March 22, 2017
- Number of patients affected: 279,663
The attack on Urology Austin bears significant similarities to the attack on ABCD. According to the provider's press release, Urology Austin staff were alerted to the attack "within minutes" of files being encrypted on an infected server, and promptly took their network offline. Like ABCD, they were also able to recover all encrypted data from backup, but upon further investigation determined that "some patient information was impacted by the ransomware."
A local Austin news station indicated that some of the data exposed in the attack was evidently quite old. One individual who received notification of the breach acknowledged he hadn't been a patient for 20 years, raising questions around why his data was being kept on a connected server and not archived offline in the first place.
- Attack date: November 28, 2016
- Notified patients: March 10, 2017
- Number of patients affected: 17,634
Wisconsin-based Metropolitan Urology Group also experienced a ransomware attack that encrypted patient data on their servers, but according to HIPAA Journal, it didn't discover the full extent of the infection until a contracted IT firm informed them more than a month later.
The patient data that was encrypted was related to individuals who had been patients at the practice between 2003 and 2010. It included patients’ full names, procedural codes, dates of service, patient control numbers, patient account numbers, and provider identification numbers.
By the time these former patients were notified it had been more than three months since the attack.
The bar is rising (and not just for healthcare) — detecting and responding to ransomware attacks is no longer enough
These three incidents are among the first in what experts predict will be another sharp increase in healthcare ransomware attacks this year. The fact that all three were reported as data breaches speaks volumes. It indicates we're in the midst of a major shift in how these attacks are perceived and addressed — one that could have implications far beyond the healthcare space.
How companies, regulators, and customers react to ransomware is about to change dramatically — because encryption isn't the problem.
The OCR issued a statement last July that ransomware attacks constitute breaches subject to the HIPAA Breach Notification Rule, specifically because when electronic PHI is encrypted that means the information "was acquired (i.e., unauthorized individuals have taken possession or control of the information)."
It's taken months for this view to be adopted and enforced, but we've now seen a series of providers falling in line and reporting ransomware attacks accordingly. The reason that's such a huge development is that it changes the way we think about the damage and harm ransomware causes. It's no longer simply the risk of files becoming encrypted and inaccessible that organizations are worried about — though that can certainly cause widespread disruption to sometimes critical services. In fact, that risk has been largely mitigated by improved use of backup.
Instead, it's the risk of data exfiltration that's keeping organizations up at night.
For now, that's a risk that remains largely theoretical. As was the case in these three incidents, it simply can't be ruled out. But as ransomware continues to evolve it's only a matter of time before criminals develop additional ways to monetize their attacks and do take further advantage of their access to sensitive and valuable information.
As Barkly co-founder and CTO Jack Danahy explained for Health IT Security:
"With this kind of access to records and a Bitcoin-enabled anonymous transaction engine, it is predictable, if not expected, that the same attacks will evolve to take advantage of this additional value via a two-phase collection.
"First, ransom will be demanded to make the system and data accessible to the rightful owner so that healthcare can be provided. Second, the accessed records will be put up for sale on the dark web, ultimately exposing the patients’ healthcare information."
In the meantime, the possibility of exfiltration alone is enough to make ransomware a threat that can't be swept under the rug with backups. In the eyes of regulators, if you're responding to ransomware encryption your system has already been compromised. The damage has already been done.
Responding to the need for more effective ransomware prevention
With the stakes so much higher, organizations inside and outside of the healthcare sector need to augment their reliance on reactive security measures like intrusion detection systems and backup with a renewed focus on preventing these attacks before compromise occurs.
To do that, more and more organizations are turning to runtime malware defense (RMD), a new layer of security that proactively stops attacks at the earliest signs of malicious behavior, before any encryption can take place or any damage is done.
RMD can keep data safe by eliminating the risk of exfiltration and encryption. Learn more about how it works here.