Mental Health Provider Pays Ransom to Recover DataFaced With Ransomware Attack, Practice Decided Paying Extortionists Was Best Option
A mental healthcare practice's decision to pay a ransom to have sensitive patient data unlocked illustrates the difficult choices that organizations can face when attempting to recover from a ransomware attack.
Rochester, Minnesota-based Associates in Psychiatry & Psychology says in a notification statement that on March 31, it discovered that some of its computers containing patient data had been accessed remotely and encrypted by attackers.
A separate FAQ document posted on the practice's website notes that "hackers from Eastern Europe" encrypted all the data files on the practice's main servers with an RSA2048 encryption protocol.
"In our case, the specific type of ransomware that affected APP was called 'Triple-M,' which is one of a family of 'crypto-ransomware' strains that uses extremely long keys - passwords - to encrypt data on infected systems," the practice notes.
"Although the data stored on the computers affected is not in a human-readable format, it does contain names, addresses, birthdates, Social Security numbers, treatment records and insurance data," APP says. "All of the evidence indicates that no patient data was viewed or copied and that the hackers' sole objective was to collect a ransom from APP in order to allow us to decrypt and regain access to the files."
Decision to Pay
Jessie Maes, the practice's office manager, tells Information Security Media Group that the practice decided to pay an undisclosed ransom after determining it would take longer and potentially be more difficult to attempt to restore its systems without obtaining a decryption key from the hackers.
"We tried to get around paying a ransom, but didn't think we'd be able to do that quickly and without damaging our systems," she says.
The patient database that was encrypted by the ransomware "was not easily readable, browsed or copied" without the use of the APP's Lytec electronic health record and practice management software, which was not impacted by the attack, Maes contends. The practice, however, did not encrypt patient data contained in the database that was attacked, she acknowledges.
"The attackers didn't touch our EHR, and there's no proof anything was accessed," she adds.
Encrypt Sensitive Data
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, recommends that healthcare providers encrypt all patient data to protect it.
"Cybercriminals can often hack into the coding of proprietary data management systems, putting personal medical and financial information at risk," he says. "This is one reason why the HITECH Breach Notification Rule defines 'secured PHI' as data that is encrypted to the FIPS standard 140-2."
APP reported the hacking incident to the Department of Health and Human Services on May 16 as affecting 6,546 individuals, according to HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website - also commonly called the "wall of shame."
In its notification statement, APP says that upon discovery of the ransomware, "all systems were promptly taken off line for four days while we assessed the situation and the computers were restored to their previous state."
In addition, APP says it has "continued scanning for any viruses or other malware, updated our security and remote access policies, and instituted additional layers of security and encryption."
Patient care was not impacted during the four days that it took APP to restore its systems after paying the ransom, Mays says. That's because the practice was able to use its patient appointment reminder system to keep track of patient visits during the restoration, she says.
Holtzman notes that the key for avoiding paying a ransom is having "good solid procedures" in place for recovery. "This requires planning before you are hit with a ransomware attack so that you have more than just the data backed up. When you build a system and figure out the right configurations, you can create an image so when you create the next configuration, you apply that image."
"Doing business with cybercriminals is risky business."
—David Holtzman, CynergisTek
While some entities decide to pay ransoms because they believe that recovery will be quicker, "doing business with cybercriminals is risky business," Holtzman says. "If you receive an encryption key after paying the ransom, some organizations have found malware and other viruses implanted in their data. And there can be significant patient safety issues because the ransomware program made subtle changes to the data integrity that can be very hard to detect."
Of course, APP isn't the first healthcare entity to admit paying a ransom to unlock data following a ransomware attack. Among other healthcare entities that have admitted paying ransoms is Indiana-based Hancock Health, a healthcare system that includes Hancock Regional Hospital and more than 20 other healthcare facilities. In January, Hancock said it paid four bitcoins, valued at the time at $55,000, to unlock its systems following a ransomware attack on Jan. 11.
Meanwhile, some experts say many other entities - in healthcare as well as other sectors - also end up paying extortionists but without publicly admitting it.
Symantec's 2017 Internet Security Threat Report showed that globally, about 34 percent of consumers pay the ransom after a ransomware attack (see Why Some Healthcare Entities Pay Ransoms).
Steps to Take
So how can entities avoid paying extortionists? Being better prepared to avoid falling victim to a cyberattack in the first place is a good place to start, Holtzman says.
"The first thing they should be doing is making sure to keep their environment up to date. That means having a good schedule for refreshing their systems, such as browsers and anti-virus protection, and keeping patches up to date," Holtzman says.
"Second, reduce the exposure of accounts with administrator privileges to the minimum needed to perform the necessary operations. A number of recent ransomware attacks have infiltrated systems through phishing emails sent to information system administrators. Third, control access to systems and data by requiring use of two-factor authentication before gaining access to administrator functions or patient information."