Business Continuity Management / Disaster Recovery , Electronic Healthcare Records , Fraud Management & Cybercrime
Doctors Regain EHR Access After Ransomware Targets VendorExperts Say Attack on Greenway Health Offers Vendor Management Lessons
A recent ransomware attack on electronic health records and practice management software vendor Greenway Health, which affected several hundred physician group practices using its cloud-based applications, is a reminder to all healthcare providers of the risks that vendors can pose.
Tampa, Florida-based Greenway says in an April 24 statement that a "criminal cyberattack" only affected some customers using its cloud-based EHR/practice management system, who temporarily lost access to patient data. "The incident involves 'ransomware,' in which the attackers freeze access to data and offer to restore it in exchange for a ransom payment," the statement says, although it does not specify if the data was encrypted by the attackers or whether the company paid a ransom. The company has backup data and expects little or no data loss, according to the statement.
Greenway CEO Scott Zimmerman says in the statement: "There is no evidence that any patient data has been exfiltrated or otherwise misused."
A Greenway spokeswoman tells Information Security Media Group that about 400 practices - or about 5 percent of the company's total customer base - were impacted. "The attack was limited to one group of customers - a portion of those on our Intergy hosted platform. Of course, even one customer is too many."
Since the company became aware of the attack, the spokeswoman says, "Greenway Health employees and third-party rapid response teams have been working around the clock to restore access to affected Intergy hosted customers," the Greenway spokeswoman said on May 1. "We have now restored EHR and practice management functionality to all affected practices. We deeply regret any disruption this cyberattack has caused our customers and their patients, and we are grateful for the patience and support they have shown."
The Greenway spokeswoman declined to disclose specifics about the kind of ransomware or attack vectors involved in the incident.
"Given that this is an ongoing investigation, we cannot go into details of the attack other than to confirm that it did involve ransomware, that we have no reason to believe that any data was exfiltrated or stolen, and that having carefully monitored the situation ... there is no evidence that the attack is spreading to additional practices," she said. "Our focus is on getting our customers back up and running, and we continue to cooperate with federal authorities."
Greenway did not respond to ISMG's inquiry about whether the company paid a ransom or how much attackers demanded.
The Greenway ransomware incident "should remind healthcare providers that they are dependent on their HIPAA-defined business associates for good security practices," says privacy and security expert Kate Borten, president of The Marblehead Group consultancy. "The process of choosing a cloud-based EHR, practice management system, or other critical system must not be limited to system functionality, but also include review of the vendor's security posture and practices."
While healthcare provider organizations, including hospitals and doctor practices, have been in the spotlight in the majority of ransomware attacks in the healthcare sector, attacks on vendors potentially cause wider havoc due to the larger population of clients - and their patients' data - potentially impacted, some experts say.
"I have not heard of ransomware hitting cloud-based healthcare software-as-a-service providers nearly as much as healthcare providers," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "This is likely because they generally have greater information security than healthcare providers, and there are a lot less of them."
Keith Fricke, principle consultant at tw-Security, notes that most ransomware attacks in healthcare that make headlines tend to be "about the malware infections at hospitals" and not so much about cloud providers. "This is likely because ransomware encrypts files in the directories it has access to. Cloud-based software programs usually have a web-based user interface and no direct access to the backend file system," he says. "It is possible for ransomware to encrypt files of a cloud-based system if a system administrator has a drive mapping to the backend file system for support purposes."
Mac McMillan, president of security consulting firm CynergisTek, stresses: "Having your EHR hosted or provided as a service does not eliminate your responsibility to have effective recovery and continuity plans."
When healthcare providers consider a cloud vendor's solutions, they need to "drill down into contingency plans, including appropriate and secure backup processes and ransomware defenses," Borten points out.
Healthcare providers also should regularly test their own contingency plans, including testing how they will respond to a significant outage of a critical cloud-based software provider, Greene suggests. "This includes reviewing whether they need to back up the data stored with a vendor and how well they can restore if that vendor experiences a data loss."
Fricke says that "as with any system relied on to deliver patient care services, healthcare practices should have downtime procedures in the event their EHR vendor experiences a ransomware attack. Healthcare practices should also understand what disaster recovery plans their vendor has in place, the last time the plan was tested and what the results were."
Vendors also must take steps to minimize the impact on customers of cyberattacks on the vendors' systems, Borten adds. That includes ensuring "that system backups are kept separately, restore procedures are regularly tested and that the incident response plan is also periodically tested."
The Greenway spokeswoman tells ISMG: "Though we build extensive safeguards into our products and services, no internet-based system is completely immune from attack. We are continuously focused on evaluating additional measures that we may take to further enhance our defenses against cybercrime."