Ransomware Attack Cuts Access to X-Rays at Surgery CenterIncident Illustrates That More Than Data Is at Risk When Malware Strikes
An Arkansas-based surgery center was recently hit by ransomware that not only shut down access to some electronic patient data but also rendered imaging files, including X-rays, inaccessible.
The incident points to the need to carefully assess risks to all the diverse systems in use at healthcare organizations.
The breach at the Arkansas Oral & Facial Surgery Center is listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website as a hacking/IT incident involving a network server and affecting 128,000 individuals.
As of Oct. 6, the incident was the seventh largest breach reported so far this year to HHS' Office for Civil Rights, according the so-called "wall of shame" tally.
In a notice posted on its website Sept. 24, the Arkansas Oral & Facial Surgery Center says it discovered on July 26 that its computer network had been hit by ransomware.
"We promptly began an investigation which revealed that the ransomware had been installed on our systems by an unauthorized individual at some point earlier that morning or the evening before," the notice states.
The center says the apparent motivation behind this incident was "extortion, and not the theft of patient information." The FBI was notified of the incident, the healthcare provider adds.
Except for "a relatively limited set of patients," the center says its patient information database was not affected by the ransomware. Imaging files, such as X-rays, and related documents were targeted.
"While our investigation into the matter continues, it does not appear that patient information was stolen from our system," the breach notice says. "However, the ransomware has rendered the imaging files and documents inaccessible."
Also, based on the organization's investigation, the ransomware apparently rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident, the center's notice says.
"Because we are unable to determine with reasonable certainty whether or not the perpetrators placing the ransomware on our systems accessed patient information, and due to the impact on the availability of images and other files, we are providing you with notification of this incident," the center says in its notice to patients.
The exposed files included attachments and radiographs that might include demographic information such as patient names, addresses, dates of birth, and Social Security numbers and clinical information such as diagnosis, treatment plans or conditions and other information such as health insurance information.
In the wake of the attack, the center says it has implemented "a new record system." In addition, it is making available to affected patients 12 months of free identity repair and credit monitoring.
The surgery center did not immediately respond to an Information Security Media Group request for comment, including inquiries concerning the type of ransomware used in the attack, and other details about the incident, such as whether a ransom was paid or how long systems were inaccessible.
Ransomware attacks have targeted imaging systems at other organizations as well. For example, during the WannaCry ransomware attacks back in May, at least two unidentified U.S. hospitals reported that their imaging systems from Bayer AG had been infected (see HHS Ramps Up Cyber Threat Information Sharing).
And regulators have been warning about cyberthreats facing medical device equipment, including imaging systems.
For instance, the Department of Homeland Security in August issued an alert warning about cyber vulnerabilities in certain Siemens medical imaging products running Windows 7 that could enable hackers to "remotely execute arbitrary code." Medical device expert Billy Rios calls those issues "exactly the types of vulnerabilities targeted by ransomware."
Medical Imaging Concerns
While security experts and regulators have urged medical device makers to address cybersecurity issues throughout the lifecycle of their products, healthcare entities also need to take precautions concerning the risks posed to imaging systems.
"In the past, some providers did not consider images to be protected health information," says Kate Borten, president of the privacy and security consultancy, The Marblehead Group. "Providers have tended to treat images with less security and privacy protection because they may have had few direct identifiers and less obvious identifiers than patient name."
The Arkansas incident "should serve as a reminder to healthcare providers that patient images, in any form, are PHI and must be protected throughout their life cycle, including secure destruction at end of life."
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, says: "Every type of healthcare organization needs to establish strong controls to any of their patient data, including imaging systems, image files, etc. That data is very valuable to crooks, and it is a prime target."
All healthcare organizations and their business associates need to have a comprehensive information security management program in place that addresses threats, including ransomware, she says. Essential steps that she recommends include:
- Limit access to all types of patient files to only the minimum necessary and provide access only to those who actually need it to perform their job responsibilities.
- Log access to all such patient files, and then ensure someone has responsibilities for reviewing the access.
- Keep systems patched and updated.
- Use intrusion detection and intrusion prevention software.
- Ensure the organization's employees, as well as the staff of their business associates, have regular training and are sent reminders about preventing ransomware attacks, such as by avoiding falling victim to phishing schemes.
"Ransomware is often delivered through tricks the crooks play on those with access to files and networks, so workers need to be very aware of such types of scams," Herold says.
When it comes to imaging systems and related medical devices, it's also important to implement security patches promptly.
But medical device makers need to be more proactive as well, Herold says. "They must start implementing more security and privacy controls within their systems," she says. "Medical device makers create some of the most vulnerable parts of the healthcare systems because of their lack of security controls being built into them."