​

For long term/post-acute care (LT/PAC) providers, cyber security is a serious game of staying one step ahead of an army of worldwide criminal hackers. Their intent is to test provider computer systems, which hold valuable protected health information (PHI) of residents and patients, along with the vital business functions necessary to maintain operations.

 

Protecting these data—which run the gamut from Social Security numbers, to health insurance identification cards, to details of medical conditions—has emerged as a top priority for the health care sector as a whole, but as of very recently a particularly cunning new attack pattern has emerged in the dark corners of the cyber security universe called ransomware.

As the name of this method of cyber crime implies, ransomware is a form of hostage taking that imperils a company’s ability to access vital data unless a sum of money is paid to free up, or decrypt, information that a hacker has frozen until their demands are met in the form of bitcoin payments. Bitcoin is favored for ransomware transactions because this cyber payment network is virtually untraceable.

There is an active multibillion dollar market in bitcoin, with exchange rates just like those for world currencies. For instance, recent quotes put the value of one bitcoin at around $600.

In total, the range of payments for each ransomware attack can run from a few thousand dollars to high five figures or more. While the practice is not new, it is now rampant and the sophistication of the hackers much more potent, security consultants say. Some of this is due to the fact that interest has grown from the Russian and Chinese hacking communities in the ransomware “market.”

How ransomware penetrates an information technology (IT) system is usually through human error, when an employee opens an email or email attachment containing the malware, or virus. Bad links for infected websites can also be a culprit, as can links on social media, for instance.

“It’s definitely been growing. The biggest difference between this year and last year is that the criminals—the hackers, the clickware people, the ransomware people, malware writers—are becoming much more sneaky. And much more sophisticated in how the malware, including ransomware, is delivered and how it works,” says Thomas Vines, director of information security for HCR ManorCare.

“Now they put out something that really looks legitimate, and people are fooled.”

Ransomware is not what Vines would call new, but in the past year or two it has become prevalent because the ransomware is so good, he says: “I mean that from a technical sense, not a good and evil sense.” It is very sophisticated software, capable of defeating traditional antivirus, content filters, firewalls, and other security controls, he adds.

While large-scale traditional cyber attacks in the health care field have earned headlines in recent years—like the 2015 breach of health insurer Anthem’s IT system putting 80 million people’s personal information at risk—these newly active ransomware operations are capable of striking not only large companies, but smaller entities, such as family-run skilled nursing and assisted living centers.

Security experts say this is because the data hostage-taking turns on its ability to get modest ransom sums paid across a wide spectrum of potential targets, versus a straight steal of data for use in churning out phony identities, such as defrauding the Medicare or Medicaid programs or selling information in the black markets that inhabit the so-called Dark Web.

The implications for LT/PAC providers in preventing cyber security data breaches are immense, says Angela Rose, director of health information management practice excellence for the American Health Information Management Association. She says a company that does not take precautions puts its financial performance at risk, invites Health Insurance Portability and Accountability Act (HIPAA)-related penalties from the federal government in the form of corrective actions by a newly aggressive Office of Civil Rights (OCR), and, most importantly, “hurts their reputation and breaks trust with their patients.”

And while ransomware may not strike some providers as a technical breach of their security systems, Rose says guidance released in July by OCR makes it clear that the federal government is moving in the direction of making even smaller-style attacks that come under the guise of ransomware a reportable breach.

For security experts, many of the same defenses a provider can take to prevent a traditional breach can work for blocking ransomware, like deploying software to detect system irregularities, active monitoring of firewalls, and staff training to recognize what it is and how to stop it from spreading, says James Tarala, principal consultant for Enclave Security, in Venice, Fla.

But the “but” here is that health care entities, especially providers, have been slow to act on security threats, leaving themselves vulnerable to an assortment of criminal activity. “I honestly don’t think they [health care providers] are targeted more than anyone else,” he says. “I think it is just a crime of opportunity, especially when it comes to health care.”

Tarala thinks facilities have not spent as much time investing in cyber security as those in other industries have, for instance, the finance or the energy sectors.

“And when HIPAA and other regulations came into being [in 2003], there were not a lot of fines or being called on the carpet for not doing a lot of things they were supposed to do,” he says. “Facilities thought maybe we should do these things, but we don’t have to. And nobody is going to punish us. It was a financial decision not to, and it’s why they are in the situation they are in today.”

That lax enforcement of HIPAA privacy and security regulations is a thing of the past. The reason for upped surveillance is that having PHI in electronic form is necessary to operate in the modern world of health care, with its integrated clinical systems, accountable care organizations, and population health management concerns, as well as for simple convenience.

Added to these factors, the mandates for electronic health record use under the Health Information Technology for Economic and Clinical Health Act of 2009 included more stringent privacy and security protections that relate to HIPAA.

The result is that fines are virtually flying out of OCR these days, LT/PAC stakeholders say, from relatively small amounts, to the record-breaking $5.5 million settlement the feds reached in August with Advocate Health Care Network in Illinois for multiple HIPAA violations. These were related to a huge 2013 breach of electronic PHI. The financial penalty was so large because of the extent and length of time over which the violations occurred and the fact that 4 million people were affected.

Jeff Duncan Brecht, counsel to the law firm Lane Powell in Portland, Ore., says this combination of tougher HIPAA enforcement and more ransomware attacks makes it necessary for providers to become all the more aggressive.

“I represent a lot of long term care and senior living providers, and it’s a very big issue. It has impacted the industry and continues to for all sorts of reasons,” Brecht says. “It is certainly being taken very seriously by OCR.”

Looking at it from a criminal standpoint, Brecht thinks there is a perception—and often a misperception—that many of the smaller facilities in the health care profession may be less robust than other businesses in terms of security measures.

“I think that criminals look at ransomware as a way to maybe not obtain large payments, but to obtain payments quickly, because the nature of the security threat is that it locks up data that can be of critical importance in a time-sensitive manner,” Brecht says. “This might not be as big of an issue in different types of industries.”

Craig Day, also an attorney for Lane Powell, says ransomware is certainly in vogue right now. “We are reading a lot about the increase in the incidents of ransomware, and OCR was reporting a 300 percent increase in one year between 2015 and 2016,” he says.

So what do owners of skilled nursing centers, assisted living communities, and seniors housing do to combat ransomware and other hacking schemes to come?

In talking to LT/PAC providers, it is clear ransomware is on their radar. Cyber crime is the modern way, they say, what with the requirement to put PHI in electronic form, as well as most other business functions. Ironically, this plays right into the hands of cyber thieves who prey on human error or faulty IT systems to make their money.

Bret Hurst, chief information officer for PruittHealth, says it takes a combination of complex and simple steps to achieve success in this area. “We are always worried about the threats of all kinds. We have extensive data and are trying to run a business, and we have an approach that we call ‘defense in-depth,’” he says. The foundation of the effort is, “Don’t put all of your eggs in one basket, or the bad guys are going to catch you.”

Hurst says the days of “I have this antivirus, and I am just going to depend on that one company to take care of us” are gone. “We have antivirus and web filters and different layers of protection, and we make sure they are spread throughout multiple companies, like Microsoft and Cisco and different other pieces to back each other up,” he says.

“We get the benefit of all of them casting their net and responding to whatever threats are out there instead of depending on one market leader.”

Per HIPAA rules, Pruitt has leadership in place as well to oversee IT security in the form of a security officer, a privacy officer, and a security committee. “Between HIPAA and other concerns, we have many bases we are trying to cover, so we have many people in place. And some of this rolls under IT, and some of it rolls up under compliance,” he says.

Another part of the program involves stressing IT security to new hires or people moving from one security clearance level to another, which at the most basic level is an education effort of not opening suspicious email or venturing onto unknown websites.

Hurst says the protective layers come in three levels: The top layer is the computer software web, the middle is the constant education and training and awareness across the company, and then there is a newer third tier.

“There is another tool that does two pieces for us: It crawls through our data looking for secure information in unsecured folders, meaning I shouldn’t see anything, and it looks for credit card or Social Security numbers,” he says. “It is even smart enough to look for HIPAA-specific information like drug names and it will tell us, ‘Hey, you have a piece of data that looks like it contains sensitive information, and it’s in a folder that has very, very light security.’”

The tool also knows and understands the Pruitt network and can detect types of ransomware or other attacks looking to encrypt or tie up data. “It will stop that action. So that means if it got past all security and all our education and we end up with ransomware inside, and that ransomware tries to start to eat data in this system, this new layer we have been in the process of adding over the past three to four months, it will recognize it,” Hurst says.

To know how all of this cyber protection works, and how ransomware tries to evade detection and encrypt data in the world of LT/PAC providers is part common sense and part computer nerd heaven. And beyond all else, the security experts say, the best way to avoid having to pay a ransom is to have backup files.

“The way ransomware works is that you get the first payload [infected email], and you click on it and it starts processing” the bad software or malware, says the security manager of a large provider company, speaking on terms of anonymity. “And the first process is the encryption to actually inventory your disk and start encrypting file by file and byte by byte. In order to do that it needs to download its brains [malware]. It also needs to have some encryption keys and other things that are almost always in the first payload [attack].” Once the attack begins, the malicious software searches for websites and other entry points into an IT system so it can start its operation to infect and freeze up data.

The software defenses should then work to deny the attack by disrupting communications. “We need to shine some light into the dark places. Because it’s just software, software bent on evil. You can interrupt software. All software has bugs, including the malware bugs,” the source says.

At the same time, technical programs are working alongside educational and administrative efforts, which are just as vital to winning cyber battles. “On the tech side, that is the easy stuff. That is vetting every website five or six times before the user views it to make sure it is not bad,” the security manager says. “Then you have the process side, about putting good technology in and really supporting the good technology. And then we have the people portion of the system. And the people, they have work to do. They are clinicians there to deliver high-quality health care. They need the education, and then they can say, maybe I shouldn’t click on this when this Nigerian prince asks for money.”

Tarala, the Florida-based security consultant, is not as high on software solutions for blocking ransomware as others, but instead focuses on limiting access in a smart way.

“Honestly, one of the few things that is really out there that has been effective in all of this has been application control. The idea being that you limit a user’s rights on their machine to give them the tools they need to do their job, but they only have the tools to do their job; no more, no less,” he says.

“So there are a number of products out there that have sprung up in this space, and there are even some organizations out there like the Australian Signals Directorate, the Center for Internet Security that I volunteer for. And the Australians say the No. 1 thing to do to protect yourself is to put something like that application control in place to defend against attacks, ransomware or otherwise,” Tarala says.

For the unnamed provider, the concept of limiting rights to certain computer files and systems is a routine part of the security process, too. The security management source uses as an example the needs of a nurse working in one of the company’s skilled nursing centers.

“We have to make sure they have the right access so they can further our patients’ recoveries. That is the real key for our bottom line [successful health care]. And we have to make sure we have a very dynamic, very speedy IT system in order to do that.”

Ensuring appropriate access is not without complications.

“When you get down to individual applications, it gets even more complex because you might have one employee with access to the dietary system, you might have another type of access for a medication system, and you might have a third type of access into the residents’ trust fund, where you make allowances for, say, one of our patients who wants to buy a candy bar,” the security management source says. “They are all managed separately, because they are managed by totally separate vendors, but are under our umbrella of identity management.”

Education can only go so far as well, Tarala says. He cites as an example the 2011 breach that cost RSA SecurID company $66 million to clean up. When it had its breach, a third-party company doing business with RSA’s human resources department had been hacked, without anyone’s knowledge. “And once hackers were into the HR firm, they created some malware and attached it to some Excel documents and sent them to staff at RSA,” he says. The trouble was that the users at RSA were expecting emails from the third party, since it was common practice to email back and forth.

“So you tell the HR department not to open malicious files?” Tarala asks. “You are going to expect a document from that third party. So how do we educate users to not do what they are supposed to do as part of their jobs?” he says.

What if such hack attacks with ransomware are successful? When asked if a provider, or any company, should pay the ransom when and if data become encrypted by a hacker, Tarala says that all depends.

“The analogy has been drawn between kidnapping and ransomware, and I don’t know if it’s that tied together. These are designed to be crimes of opportunity. Somebody has run malicious programs, and data start to get encrypted, and then you simply have to do something to get it back. If a company has backups, I certainly would not advise them to pay the ransom. I would tell them to have a good backup strategy and recover the data. But they may need to pay if they do not.”

Tarala says in the end the mix of technology and responsible computer use by employees and the cordoning off of a company’s computer system to prevent infection from spreading beyond repair can help stave off successful hacks.

For providers, the heart of all the discussion about cyber security is their clients, Pruitt’s Hurst says. “I don’t want them [hackers] to have access to PHI. There is a reason that these HIPAA laws are in place. These are people’s personal, private health information, and so one thing that I want beyond all else is to maintain control of it,” he says.

“It is the responsible thing to do for my patients to make sure nobody else has access to that data.”