Mnet Health News delivers the latest news and information articles for the world of healthcare.

A+ A A-
David Brooks

David Brooks

Ransomware Becomes Healthcare’s Latest Crisis

At this point, more than 200,000 systems have felt the sting of malware known as WannaCry; a ransomware attack that began on Friday May 12th of this year.  This attack has led to doctors being blocked from access to patient files and charts and has even resulted in patients in desperate need of help being sent away from emergency rooms. 

International efforts are now taking place to track down the criminals who are responsible for such an unprecedented global attack.  The United States, Russia and the United Kingdom were among the 150 or more countries that were affected by the virus and investigators are working tirelessly to track down those who are responsible for this latest attack.

In the United Kingdom, authorities are scrambling to upgrade their security software fearing that another attack capitalizing on the same vulnerability could be imminent.  In the meantime, UK’s National Health Service (NHS), the Government of the United Kingdom, and many other governments are faced with answering questions concerning preparedness against further attacks and the viability of systems that are currently set in place.

Meanwhile, cybercrime specialists working for Europol are offering support for countries affected by the virus and have launched their own investigation to try and track down the culprits in this case.  Cyber criminals often believe that they are working completely anonymously, but investigators have assured the public that they have tools to bring these criminals to justice.

 A British cyber-specialist, known as Malware Tech, has been called an “accidental hero” after registering a domain name that stopped the virus from spreading unexpectedly.  The action taken by Malware Tech prevented the spread of the virus to more than 100,000 computers throughout the world. 

In England & Scotland, hospitals were forced to cancel medical procedures after last Friday’s attack brought down dozens of NHS systems.  Medical staff on hand at the time of the attack reported watching as computers went down “one by one,” taking hold of them, locking them down and demanding money to release data.

Recently here in the United States, reports have shown that it can take from several months to several years for a healthcare system to discover and report a breach to the Health and Human Services department.  That same report showed that it took so long to report breaches in patient data because it sometimes took several years to even identify a breach.  Analyzation of the report pointed out that healthcare organizations currently spend only about 10 percent of what other major industries in the U.S. spend on securing their data.  With that in mind, it’s highly likely this story will continue to unfold in the near future.

  

 

Nearly ¾ of Malware Attacks on Healthcare Industry in 2016 Were Ransomware

Healthcare Industry Malware & Ransomware

A recent Verizon Data Breach Investigations Report pointed out that nearly ¾ or 72 percent of the malware attacks on the healthcare industry came in the form of ransomware in 2016.  But the results might not be too difficult to believe since the healthcare industry currently remains one of the largest targets in the U.S.  Because hackers understand that data is such an integral piece of the healthcare experience, ransomware has become one of their biggest threats.

Attacks using ransomware have doubled and are currently the fifth most common malware in use according to the report by Verizon.  The second most targeted enterprise was the financial sector with 24 percent of all issues in 2016.  The Verizon report considered the more than 2,000 attacks in 2016 and found that the healthcare industry was breached 458 times, with 286 of the breaches including improper data disclosure.

The authors of the Verizon report pointed out that “healthcare has the unenviable task of balancing protection of large amounts of personal and medical data with the need for quick access to practitioners.”  

The ransomware virus first reared its ugly head last year in February with an attack on the Hollywood Presbyterian Medical Center.  This attack caused the center to sound an internal emergency and eventually led to the payment of $17,000 to hackers; just so that they could ultimately regain controls of their own systems.

A report from Symantec also had similar findings showing that ransomware numbers had increased by 36 percent during 2016.  According to this report the number had increased from 340,000 in 2015 to 463,000 in 2016.  While detections of ransomware through antivirus software was still a smaller percent of overall attacks; it’s clear that there was a rise in ransomware detections during 2016.  That same report also pointed out that one in 131 emails received contained a link or an attachment that was malicious; which was the highest rate in five years.

The rise in ransomware during 2016 may have been affected by the release of Ransomware-as-a-Service.  Developers with criminal intent created ransomware kits that are customizable and can be tailored to a specific industry.  These “kits” are provided to hackers free-of-charge by the developers in exchange for a percent of the ransom paid.

“Cybercriminals concentrate on four key drivers of human behavior to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty.  As our report shows, it is working with a significant increase in both phishing and pretexting this year” said Bryan Sartin from Verizon.  The fact that bad actors seem to understand human psychology and human behavior appears to imply that the problem won’t be going away soon.

Colorado Senate Pushes for Collection Reform in Light of 'Medical Debt Malpractice'

Colorful Colorado

In Colorado, some patients are finding that a trip to the mailbox means a letter from a collection agency concerning a medical bill they believed was paid in full months earlier.  Apparently, this phenomenon is becoming a more regular occurrence based on a new report from the Colorado Public Interest Research Foundation.  According to this report, Colorado is now ranked seventh nationally for the most complaints per-capita concerning mistakes being made in medical billing; in fact, there are 7.2 complaints per 100,000 residents.

These complaints are being filed with the Consumer Financial Protection Bureau (CFPB).  The report is being made public courtesy of the Colorado Public Interest Research Foundation and comes to light as Colorado lawmakers, including Senator Bob Gardner of Colorado Springs, are entertaining a bill that would give the Colorado populace added protections from predatory practices from debt collectors.  The bill, known as Colorado Fair Debt Collection Practices Act, would create a situation that would force some debt collection agencies to improve their efforts at verifying that they are actually talking to the person who actually owes the debt.

The report makes it clear that almost two-thirds of complaints that have been filed to the CFPB pertaining to medical debt are regarding money that either wasn’t ever owed in the first place or was ultimately discharged over the course of a bankruptcy.  Another thing the report mentions is that Colorado consumers have filed numerous complaints of “inappropriate and aggressive” tactics by collectors.  Some of these complaints include threats of contacting family members or patient workplaces or the threat of arrest.  Other collection agencies have even been reported for posing as police or even lawyers.

The Director of the group who published the report, Danny Katz, has made his support of the Senate Bill clear and further gone on to state that medical debt collection has the capability of leading to “lawsuits, dinged credit, and garnished wages” and that the Bill could “make a difference” for those living in the state of Colorado.”  With Colorado being ranked seventh for the most complaints per capita for erroneous and aggressive medical debt collection tactics; that leaves six other states with an even worse problem.  These states are Nevada, Florida, Delaware, Georgia, New Jersey and Maryland.

While Trump Administration Brings Sweeping Changes; HIPAA Audits Likely to Remain Unchanged

Experts recently predicted that providers aren’t likely to see any noticeable changes to the Health Insurance Portability and Accountability Act audits conducted under the auspices of the new Civil Rights Director of the Health and Human Services Department.

Director of HHS Office of Civil Rights, Roger Severino, is widely expected to continue with the current standard of HIPAA audits according to a recent Bloomberg report.  The same report also pointed out that the number of enforcement actions and settlements in the year 2016 made it a record year.

Bloomberg referenced remarks by W. Reece Hirsch, an attorney with Morgan, Lewis & Bockius, pointing out the uncertainty of how the Trump administration’s desire to roll back regulations would ultimately affect HIPAA audits.

Hirsch said “lessening regulation in the privacy and cybersecurity areas has not been an area that has been addressed thus far in public statements or actions by the new administration.”

Before working with the HHS, Mr. Severino worked as the Director of the DeVos Center for Religion and Civil Society in the Institute for Family, Community and Opportunity at the Heritage Foundation.  He also worked as a trial attorney for the Civil Rights Division of the Department of Justice.  The focus on civil rights mirrors Severino’s predecessor; a similarity that brings some to the conclusion that he will be likely to continue down the same path regarding enforcement.

Kirk Nahra, lead attorney with Wiley Rein, told Bloomberg “There’s no particular reason to think that he will change the enforcement process or approach in any material way, unless there are major budget cuts that lessen the staff.”  

Subscribe to this RSS feed