Health Care Systems Remain Targets of Ransomware And Phishing Attacks in 2017

Health care networks and providers are squarely in the cross hairs of ransomware cyber criminals and if the current rate of attacks continue it will likely exceed last years' events significantly.

On May 8, 2017, St. Mark’s Surgical Center, LLC in Fort Myers, FL disclosed publicly that somewhere between April 13 and April 17, 2017, it was the target of a ransomware attack which may have exposed over 30,000 patients data from 7 states.

The center called in a third party security firm to conduct a forensic review which concluded the attack affected certain electronic files on the Center’s server which could have exposed private patient information such as names, dates of birth, health information, treatment information, and/or Social Security numbers.

As required by law they had to publish a disclosure on their company site and tell patients what they intended to about a remediation plan.

“Immediately upon learning of the presence of ransomware on our systems, we commenced an investigation to determine its scope, the impact on our systems, and the identity of those affected.

"We also engaged a third party expert to assist us in recovering the affected data, to help ensure that the server was no longer subject to the ransomware, and to examine whether protected health information or personally identifiable information had been used, accessed, disclosed, acquired, or otherwise compromised by unauthorized parties.

"As mentioned, we are not aware of any improper use, access, disclosure, acquisition, or compromise of or to the information that was contained on our server. Nonetheless, we are providing this advisory to you and other individuals to make you aware of this incident so that you can take steps to protect yourself and minimize the possibility of misuse of your information.”

The center also provided for 12 months of identity theft protection to the patients affected. The Healthcare industry is waking up to the chilling effect that a ransomware attack can have not only in exposure to government fines but on the patient trust relationship of patients' personal data. Not to mention downtime to the organizations critical data.

Since January 1, 2017, 191 serious health care privacy security breaches have been reported to the Office of Civil rights reporting site (OCR) as required by US federal law under its HIPAA Breach notification Rule. This rule applies to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

The law requires that the Secretary of HHS as well as patients be notifed within 60 days. If a breach occurs that affects the privacy of 500 or more patients the local media must be informed in their state and the health care entity must post a description of the incident and remedies publicly.

While poor encryption practices made up the majority of breach reports early on, hacking makes up more than 40% of breaches currently under investigation over the last two years. Hacking has also implicated far more patient records, accounting for 75% of compromised records.

"The big takeaway here is that phishing is a successful way to get inside healthcare facilities,” Susan Lucci, chief privacy officer and senior consultant at the security consultancy firm, Just Associates, told Healthcare Info Security.

“Data breaches reported so far this year are on pace to surpass last year’s total, which was seen as a banner year for healthcare breaches. More than 230 breaches were reported so far this year, accounting for more than 3.1 million patient records.” Source: www.hhs.gov

Don't be a victim! Get your Ransomware Hostage Rescue Manual.

Ransomware Hostage Rescue Manual Get the most informative and complete hostage rescue manual on Ransomware. This 20-page manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware like this. You also get a Ransomware Attack Response Checklist and Prevention Checklist. You will learn more about: