Can Healthcare Ransomware Be Stopped? Yes, It Can!

Posted on May 25, 2016 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  The HIPAA One® Security Risk analysis is a tool to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site for a client named “Care Health” (name changed to protect their identity). Care Health had invested in the highest level of our SRA (Security Risk Analysis) to cover all aspects of security and protection from Ransomware, malware, and the proverbial “sophisticated malware.”

The HIPAA One® HIPAA Security Risk Analysis and Compliance Interview process guided Care Health through a series of HIPAA citation-based questions and required users to upload documents to demonstrate compliance.  These questions directly addressed the organization’s security controls in place to protect against ransomware and cyber-threats.  You can see a sample of the citation-driven controls HIPAA One required for malware and malicious software below:

Technical Audit Controls 164.312(b)
HIPAA One® Requirement:  Upload screenshots of the systems configuration page(s) detecting malware network communications or ePHI/PII going out/in.
Client Controls:  End-user education on malware and phishing. Cisco IPS/IPS module active to block critical threats and WebSense Filter for deep-packet web-traffic inspection.

Administrative Protection from Malicious Software 164308(a)(5)(ii)(B)
HIPAA One® Requirement:  Provide a document showing a list of all servers, workstations and other devices with updated AV Software versions.
Client Controls: BitDefender Enterprise deployed on all workstations and laptops.

Administrative Procedures to guard against malicious software 164.308(a)(5)(ii)(B)
HIPAA One® Requirement:  Please upload a list of each server and sample of PC devices containing server name, O/S version, Service pack and the most recent security updates as available by the software vendor.  Verify critical security patches are current.
Client Controls:  Microsoft Security Operations Center combined with an exhausting change-management process to test new patches prior to release.

HIPAA Citation:  Administrative Training program for workers and managers 164.308(a)(5)(i) for the HR Director role.
HIPAA One® Requirement: Please upload a screen capture of the HIPAA training system’s grades for individual employees and detail the training/grading system in notes section.  Go through training and verify it efficiently addresses organization’s Policies and Procedures with real-world threats.
Client Controls:  Training that is due and required before bonuses, pay-raises or schedule to work are awarded.  Workforce and IT Helpdesk are trained to forward any calls regarding suspicious activities to the HIPAA Security Officer (HSO).

HIPAA Security Risk Analysis Tool

Back to the Ransomware attack…One day during the project, two staff members’ in the Billing department were going about their daily tasks, which involved working with shared files in a network-mapped drive (e.g. N: drive).  One of them noticed new files were being spontaneously created and the file icons in the network folder were changing. Being attentive, she noticed one was named ransom.txt.

Acting quickly, she contacted the IT Helpdesk who were trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer(HSO).   The HSO logged-into the N: shared drive and found Care Health files were slowly being encrypted!

How do you stop a Ransomware attack?
The Security officer ran Bitdefender full-scans on the Billing department computers and found nothing.  He then installed and ran Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected this, but also removed it.

This Ransomware variant had somehow infected the system and was encrypting these files.  The quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before patient data were compromised.  Backups were used to restore the few-dozen encrypted files on the network-drive. It was a close call, but Care Health was ready and the Crisis Averted.

Upon a configuration review of all of Care Health’s security appliances, WebSense had been configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page.  This forced visitors to this website to download the executable virus from the banner-ad and unknowingly installing the Ransomware on their local computer.  When downloaded, the Ransomware would start encrypting files in high-lettered network-drives first.

Lesson Learned
Ransomware is here to stay and attacks are rising.  Healthcare organizations need to have policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program.  The HIPAA One® software is one of the most secure ways to implement a HIPAA Security Compliance Program.  But a risk analysis is only one step… Ultimately, organizations must build top line end-user awareness and training programs. So like at Care Health, the employees know to quickly report suspicious activities to the designated security officer to defend against Ransomware, Phishing and “sophisticated malware attacks”.

To learn more about stopping Malware and using HIPAA One® as your HIPAA Security Risk Analysis accelerator, click to learn more, or call us a 801-770-1199.

HIPAA One® is a proud sponsor of EMR and HIPAA.