Healthcare entities have a regulatory obligation to protect protected health information (PHI). Compliance also extends to healthcare partners that handle PHI. Unfortunately, cybercriminals are targeting these partners as well as healthcare organizations. A recent healthcare ransomware attack exposed over 20,000 patient records. The hackers seized a mailing service provider’s data using Ryuk ransomware. On January 19, 2021, the company published a press release on the incident.
In May 2019, hackers infected the mailing service provider’s servers with Ryuk ransomware. Ryuk is the work of an eCrime group know as Wizard Spider. Hackers designed it to infiltrate enterprise environments. It works by identifying and encrypting network drives and resources. It also disables the backups. The primary method of infection is through phishing attempts. Emails include an infected document. Upon opening it, the hackers are in and begin to collect admin credentials and move critical assets.
The mail printing service received a ransom request from hackers. They demanded money to unlock the servers. Any data on the servers was now unusable. The company did not pay the ransom. They also said they didn’t find evidence of access to customer files. However, they cannot with full certainty say there was not a breach, hence the notification to patients.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) did investigate to determine if there were any HIPAA violations. The OCR announced there were no violations and closed the case.
Healthcare Ransomware Attack Puts Lens on Business Associates
When any security breach occurs, there are always lessons to learn. The importance of this case is that it wasn’t the healthcare organization attacked—it was a business associate. Any relationships between healthcare entities and vendors that involve PHI access require a HIPAA business associate agreement (BAA).
This agreement means that the vendor will follow HIPAA compliance in handling sensitive information and safeguarding it. That’s a minimum, but you should go beyond that when you choose vendors. Ask these questions:
- What are your encryption methods?
- Do you encrypt at both rest and transit?
- Does your staff participate in annual HIPAA compliance training?
- Have you ever had a breach?
- Do you backup all data?
- Who is your data center partner?
You should make these questions part of your process of selecting partners.
What Answers Should You Expect?
With these questions, there are right and wrong answers. Encryption will be a big part, especially confirming that encryption occurs at transit and rest. You also need to have a feel for their cybersecurity posture. What proactive measures do they have in place to thwart, identify, and defend against cyberattacks?
Hackers are only becoming more sophisticated. These layers of security are really going to happen on the data center and cloud side. That’s where the data is, so you need to get the specifics on their co-location partner.
Further, backups and redundancy are critical. In many healthcare ransomware incidents, organizations lose data forever if victims don’t pay. Last year, this happened to a Colorado hospital, wiping out five years of patient medical records on their legacy EHR.
A Secure, Compliant Partner for Healthcare
We never like to report on breaches and ransomware. Unfortunately, these things occur in abundance, and the healthcare industry is a top target. We are proud to say we’ve never experienced a breach. Nor have we ever violated HIPAA standards. After over two decades and tens of thousands of healthcare data projects, we understand what it means to be secure and compliant.
Learn more about our data security and HIPAA compliance protocols.