The U.S. government set standards two decades ago for safeguarding protected health information (PHI) and personally identifiable information (PII). But cybercriminals keep finding ways to pry into it. They can even profit from such data without actually viewing it.
Recently, NetDiligence CTO, Vinny Sakore spoke with Michael Chase, Partner and Bob Kardell, Attorney, of Baird Holm, LLP about healthcare email compromise and how organizations can respond to and guard against it.
Baird Holm is a 140-year old law firm with attorneys licensed in 23 states. The firm has at least 15 attorneys who can respond to cyber attacks in healthcare. Baird Holm is also a NetDiligence Authorized Breach Coach.
What Are Healthcare Breaches And How Big A Problem Are They?
The Department of Health and Human Services (HHS) identifies several ways personal data enters the cybercrime ecosystem. Criminals use phishing emails, fake invoices, and other “spoofing” to trick busy personnel into opening the wrong email and clicking the wrong link—even personnel trained in recognizing healthcare cybersecurity challenges.
Email compromise isn’t the only way attacks occur. In the healthcare sector, DDoS attacks (Distributed Denial of Service) can bring providers’ networks to their knees. Ransomware in healthcare also threatens information.
In 2020, healthcare providers and related entities reported more than 1.76 data breaches a day involving 500 or more records—a 25% year-over-year increase from 2019. Data breaches in healthcare cost $7.13 million on average, an IBM study finds. That figure is 10% higher than in 2019 and is the highest average breach cost across 17 industries.
Michael Chase believes healthcare email compromise has trended up in the past five to seven years in part because health and financial information makes such a tempting target. Another reason is, like all business email compromise, “It’s easy.”
What Makes Healthcare Cyber Attacks A “Nightmare To Investigate?”
Even unsophisticated attacks “can be a nightmare to investigate,” says Chase.
Baird Holm often works with clients who assume their corporate email policies are enough to protect PHI and PII. But in today’s value-based healthcare and insurance system, says Chase, it’s “highly unlikely PHI does not get emailed.” Even a single emailed spreadsheet, containing tens of thousands of patients’ data, can be a significant privacy breach in healthcare.
Cyber forensic experts can sometimes tell whether PHI and PII have actually been compromised, viewed, and exfiltrated. But other times—for example, after attacks involving Emotet, a complex ransomware in healthcare and other sectors—such certainty isn’t possible. “Once they get on your system with that,” Kardell explains, “you can’t tell what emails they’ve looked at and which emails they have not seen. We have to assume they’ve seen everything.”
Investigating such attacks means combing through every email in the compromised account, including all attachments. “Under HIPAA,” says Chase, “you’ve got 60 days, potentially, to notify individuals, regulatory authorities, and media of this breach, and [investigating] will eat up a lot of your 60 days very quickly.”
Kardell, a former FBI cyber forensics investigator, recalls cases in which IT groups tasked with incident recovery would wipe and reimage a practice’s servers before calling investigators. “Then they find out we needed the evidence,” he says. “As happy as you may be to be up and running again, you’re going to be sad to find out [the lost evidence] may necessitate notifying everyone who’s a client.”
What Guidance Must Organizations Follow Regarding Data Breaches In Healthcare?
HHS’ Office for Civil Rights (OCR) considers a healthcare ransomware attack to be a disclosure of PHI, even if data was not accessed or exfiltrated, according to Chase. And the HIPAA Breach Notification Rule presumes every disclosure is a breach unless the organization can demonstrate a low probability of compromised PHI.
The risk analysis uses four factors:
- The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification.
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
Chase says forensic analysis helps organizations assess these factors. When investigators can determine bad actors behind a ransomware attack only want to lock a system down to “make a quick buck” before moving on to another target, risk is low.
“Unfortunately,” he adds, “it’s not that easy for us! We’ve got to do a deep dive to figure out if that was actually the case.”
Why Do Organizations Need To Develop Incident Response Plans?
Preparation is key to guarding against healthcare email compromise. “Particularly in healthcare,” says Chase, “boards should be aware of all of the rules and what’s going on, and budget for security year over year.”
“The sooner you can activate an incident response plan, the better,” Chase continues. “Report it, activate your plan, get moving, get legal counsel involved, get forensic experts, and we can figure out what happened. These things move very quickly and you’ve got a very narrow time frame, especially in healthcare, to work through a lot of these issues.”
Kardell wants organizations to know about new laws putting “some meat on the bones” in terms of developing policies, plans, and procedures. For example, a recent amendment to the HITECH act provides reduced fines and mitigation efforts for breached organizations that have been following industry-standard cybersecurity measures for at least a year.
Kardell also urges organizations to “take away the low-hanging fruit” by implementing multi-factor authentication. He says 90% of system compromise incidents occur because a cybercriminal gains login credentials from the dark web. “The people using credentials,” he explains, “are not very sophisticated hackers. If you put multi-factor authentication in place and they can’t get in the first time, they’re probably going to move on to somebody else.”
He adds, with a smile, “There’s an old saying out there: ‘You don’t have to outrun the bear. You just have to outrun the person you’re running next to when the bear’s chasing you both!’”
We thank Michael Chase and Bob Kardell for sharing their insights into the threat of healthcare email compromise and other cyber attacks. Be sure to watch the whole conversation for more information.
You can learn more about Baird Holm by visiting https://www.bairdholm.com/. If you have questions about developing and implementing a cyber-focused incident response plan, call NetDiligence at 610.525.6383 or contact us online.