Users of Universal Health Services (UHS), one of the largest healthcare systems in the country, recently lost access to electronic medical records when UHS suffered a ransomware attack and took its systems offline to remediate and prevent the spread of ransomware across its networks. The attack highlights the ongoing threats that hospitals and other healthcare providers face from malicious actors as well as the high cost of such incidents, even when they do not cause unauthorized disclosure of protected health information.
Ransomware is a type of malware (malicious software) that denies the victim access to their data (usually by encrypting the information) until the victim pays a ransom to the hacker. The UHS attack, which may be the largest ever on a healthcare system, did not appear to involve the unauthorized access to any patient or employee information, according to a statement released by UHS. However, the organization was forced to suspend access to its information technology applications related to operations—including the Electronic Medical Record (EMR), laboratory, and pharmacy operations—in order to address the ransomware attack.
Ransomware attacks have increased and evolved over the last few years. In 2017, the Department of Justice estimated that ransomware was globally infecting more than 100,000 computers a day and ransom payments were approaching $1 billion annually.1
Ransomware attacks can occur in several ways. The most common delivery system is a phishing scam where a victim receives an email containing an attachment with ransomware that, once opened and downloaded, will take over the victim's computer and potentially penetrate a company's network.2
Prior to 2018, most ransomware attacks were designed to cause mass, indiscriminate infection of as many devices and across as many systems as possible. More recently, however, ransomware attacks have been more targeted and hospitals have increasingly become victims of these attacks.3
Implications of an Attack
Attacks that suspend access to hospitals' data and systems, no matter how temporary, can disrupt the delivery of services to patients. Organizations must undertake costly remediation efforts, beginning with paying the ransom (depending on whether they have an acceptable and available backup of their systems), recovering compromised systems, undertaking a forensic investigation, and purchasing or updating security systems.
Besides these operational fixes, just confirming that no patient information was accessed is often an expensive process and organizations may face the additional costs of notifying patients and regulators, which could lead to further questions or legal proceedings.
This year, the U.S. Department of Health and Human Services (HHS) issued an update about Ryuk, the specific ransomware that affected UHS. HHS is aware of the recent proliferation of ransomware attacks and has issued guidance (Ransomware Guidance) for entities covered by the Health Insurance Portability and Accountability Act (HIPAA). Notably, HHS presumes that ransomware attacks constitute a reportable breach, unless the affected entity can demonstrate that there is a low probability that patient information was compromised.
Additionally, HHS notes under the Ransomware Guidance that implementation of security measures from the HIPAA Security Rule can help prevent introduction of certain malware, including ransomware, and can help infected systems recover from malware attacks. For example, the HIPAA Security Rule requires entities to implement procedures to guard against, detect, and report malicious software, which may help prevent malware attacks.
Further, the HIPAA Security Rule requires entities to implement a data backup plan, which may assist an entity in recovering any data it may have lost due to a ransomware attack. A good data backup plan may also help an entity avoid having to pay the ransom if it has the information available on a secure back up drive.
A covered entity found to have experienced a breach because of insufficient safeguards against malware attacks may face hefty fines. For instance, a health insurer recently settled with HHS for $6.85 million for a breach that was caused by malware and affected records containing the health information of 10.4 million people.
Heightened Awareness of Risk
UHS is still working to remediate its systems and is providing updates as it learns more about the attack. While it appears to have avoided a breach of patient information, the experience is a lesson to other healthcare systems that they may also be an attractive target for malicious actors.
Ransomware often is not detected at the time of initial infection, which can allow the bad actor time to identify and target network systems and maximize the impact of the attack. This time lag may present an opportunity for vigilant entities "to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied."4
Accordingly, entities should review their safeguards to ensure they are sufficient to identify and prevent a ransomware attack. Entities may wish to consider:
- (1) Implementing a security management process and conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information;
- (2) Implementing procedures to guard against and detect malicious software;
- (3) Training users on detecting and reporting malicious software; and
- (4) Implementing access controls to limit access to systems containing ePHI.
1 Deputy Attorney General Remarks, October 4, 2017.
2 FBI, Public Service Announcement, October 2, 2019.
3 National Cyber Security Centre, Ryuk Ransomware Targeting Organisations Globally, National Cyber Security Centre Report, June 21, 2019.
4 National Cyber Security Centre Report.