This month a hacker with the handle "Dark Overlord" has been making news after successfully stealing thousands of healthcare records and holding them for ransom. According to Boing Boing, Dark Overlord was able to acquire 48,000 records from a healthcare organization in Farmington, Missouri; hundreds of thousands from Atlanta, Georgia and the Central/Midwest US as well as nine million patient insurance details. As if that weren't enough, on Tuesday the notorious hacker also stole the information of 34,000 New York healthcare patients. And just what kind of payout is up for grabs for greedy ransomware authors looking to exploit healthcare institutions? Dark Overlord is demanding 750 Bitcoin (or $513,682.50)! So what does this mean for MSPs?
In this case, the hacker is shopping sensitive Protected Health Information (PHI) on the Dark Web. Dark Overlord isn't just looking for a ransom from the institutions they stole from. They are also selling the information to the highest bidder and in doing so, are endangering hospital reputations as well as releasing the private and sensitive health and ID information of patients.
This is a serious crime, which is why proper cybersecurity around PHI is more important than ever. My company Southern Data Solutions works with clients who need to meet HIPAA compliance all the time. We protect their sensitive information by guiding clients through a very simple check list to ensure that they do not become the victims of a similar ransomware breach. Here's how:
HIPAA Compliance Assessments
We recommend a complete review of any network that is handling patient information at least annually, if not twice a year/quarterly, depending on the amount of data and number of patient records. The assessments must be thorough, well documented and frequent. We use Continuum's HIPAA Assessment Tool, powered by RapidFire Tools for our HIPAA compliance assessments, which take all the regulations that a HIPAA audit would look for and ensure that we are not only identifying vulnerabilities, but showing organizations clear steps to take in response. After generating a report that is strictly HIPAA-focused we use documentation, analysis and consultation to guide our clients through our findings and establish a better security framework. In some cases, that means enablement by sharing knowledge and documentation and in others, it means applying our own Managed Security solution that allows us to fill the gaps.
When talking to your clients about HIPAA compliance and protecting patient information, immediately discuss data encryption with them. Review how these healthcare practices encrypt files today, especially if they access a cloud server or use a file sharing service. Files that are not encrypted are low-hanging fruit for hackers. And the consequences of leaving that vulnerability uncorrected are dire. Not only will a breach be costly to your clients, it will cost them their very livelihood since few patients will return to an organization that has been compromised. Once you determine which of your clients need data encryption, have that eye-opening conversation with them, and then help keep their networks secure by encrypting their files right away.
Disaster Recovery Plan
Healthcare companies handling PHI should have a disaster recovery plan (DRP) that is comprehensive and properly managed. It should include a Disaster Declaration, which dictates and identifies who decides a disaster has occurred as well as a Disaster List that identifies the disaster (for example: breach, fire, loss of connectivity). Key decision makers should also have in their possession a Data Backup Guide that documents where backups reside, who to call and how to get a hot site up and running quickly. By leveraging Continuity247®, Continuum's fully-managed BDR platform, we are able to ensure our clients receive business continuity planning and follow established BDR procedures should something go wrong. We also help our clients manage an Alternate Site Guide, detailing how to get a second site accessible in the event of a disaster. Additionally, our ePHI recovery guide covers how to access electronic protected health information, who is authorized to recover this data and which steps are needed for recovery.
Cyberattacks, especially on PHI, are certainly not going to reduce with time. There are over one million NEW attacks being launched each day. If you serve any healthcare organizations, they are the ultimate attractive targets for cybercriminals looking to profit from ransomware schemes. How are you solidfying your status as the trusted partner who will help them? Sound off in the comments below!
Suggested for you: