Ransomware Attack Impacts 522,000 Patients in Puerto RicoA Medical Center and a Children's Hospital Among Latest Victims
A Puerto Rico-based medical center and a related women and children's hospital are victims of a recent ransomware attack impacting the data of more than 522,000 individuals. The combined incident is currently the largest health data breach reported to federal regulators this year involving ransomware.
In a joint statement issued July 19, Bayamón Medical Center and Puerto Rico Women and Children's Hospital, both part of the same organization and based in Bayamon, Puerto Rico, say that on May 21 they discovered that patient information was involved in "a blocking incident" that affected the hospitals' computer network.
"From our research, the hospitals and their consultants understand that the information of our patients was simply encrypted - blocked - and there is currently no indication that the information itself has been used by an unauthorized person. We will continue to monitor the situation," the statement says.
The hospitals add they are also "strengthening our security protocols and providing additional training to our employees to reduce the likelihood of a similar event happening in the future."
The hospitals did not indicate whether they paid a ransom or remediated the situation without paying the hackers.
The type of information impacted, "to which the hospitals did not have access for a short period of time," included clinical, demographic and financial information such as patients' full name, and in some cases Social Security numbers, date of birth and diagnosis, the statement says.
"None of your data was lost as a result of the incident, and to date there is no evidence to suggest that your information was extracted from our network or that there has been some attempt to misuse your information."
Bayamón Medical Center and Puerto Rico Women and Children's Hospital did not immediately respond to an Information Security Media Group's request for additional information about the incident.
Among Largest Breaches
The attacks on Bayamón Medical Center and Puerto Rico Women and Children's Hospital were reported separately by each of the two hospitals on July 19 to the U.S. Department of Health and Human Services as hacking/IT incidents involving a network server, according to HHS' HIPAA Breach Reporting Tool website.
Also commonly called the "wall of shame," the website lists reports of major health data breaches impacting 500 or more individuals.
Bayamón Medical Center reported the incident as impacting nearly 422,500 individuals and Puerto Rico Women and Children's Hospital reported the breach as affecting nearly 100,000 individuals.
To date, the incident reported alone by Bayamon Medical Center is the largest breach involving ransomware posted on the federal tally so far this year. The Bayamón incident report is also the fourth largest health data breach of any type posted on the HHS website so far in 2019.
Other major health data breaches reported so far to HHS this year as involving ransomware attacks include an incident impacting 106,000 individuals reported in May by Indiana-based Talley Medical Surgical Eyecare Associates (see 2 Medical Practices Among Latest Ransomware Attack Victims).
But it's not only larger healthcare entities that have reported being victims of ransomware attacks so far in 2019. A number of smaller healthcare providers, including Connecticut-based non-profit Southeastern Council on Alcoholism and Drug Dependence in May have reported to HHS ransomware incidents impacting thousands of patients (see 'Survivor' Lessons from Attack on Dental Practice).
Some security experts predict that ransomware attacks on healthcare sector entities will continue to surge.
"I don't see this abating any time soon," says former healthcare CIO, David Finn, executive vice president at security consultancy, CynergisTek.
"Unfortunately, like so much around security in healthcare, it will likely get worse before it gets better."
Efforts to prevent falling victim to these attacks need to be multifaceted, he says. "There are no silver bullets for security. Everyone keeps looking for one but you can't fix it with technology alone; you can't just expect that training people will solve it. Systems and workflows are complex in healthcare, and so this will have to be addressed holistically and systemically - this is not something we do well in healthcare," he says.
"Ransomware is particularly complex because it frequently leverages 'social engineering' and the trust that is core to healthcare and then is able to use those opportunities to deploy very targeted and effective attacks," Finn says.
Susan Lucci, senior privacy and security consultant at tw-Security, offers a similar perspective. "The most common way ransomware is introduced to a system occurs when an unsuspecting employee clicks on a link or opens an attachment that has been compromised," she notes.
"Although many organizations have taken proactive steps to alert their workforce to this pervasive threat, it still occurs because the attackers make their communications look authentic. The subject line or content makes a compelling argument to believe the email is legitimate. "
One evolving trend involving ransomware is that the attacks continue to grow more sophisticated and can engage defenders in "cat-and-mouse like activities," Finn notes.
"While malware has had the ability to detect sandboxes and virtual machines for some time, we are now seeing attacks that can bypass some firewalls and some anti-virus products," he notes.
"Since ransomware is now offered as-a-service, the operators are not always technical, and more attacks are actually being outsourced in this way," he says. "Often the infection vectors are difficult to identify because the ransomware deletes all evidence of how it was 'dropped,' and some are using anti-forensic recovery techniques which can make recovery from backup more difficult."
Steps to Take
Because preventing and defending against ransomware is becoming more complicated, healthcare sector entities and their vendors need to step up their strategies, Finn says.
"A very common ingress point is spoofed email, so one thing that can solve a lot of problems is multi-factor authentication to email and other systems," he says.
However, "we keep hearing that 'passwords are dead' but if you have systems with them, they should be strong, they should be changed regularly, not stored or transmitted in clear text. Given that medical devices will likely be a significant vector for attack, changing default passwords on devices and any system, frankly, that connects to the hospital network is still critical."
In the meantime, entities need to ensure that their users are trained - and frequently reminded - on ways to spot and avoid falling victim to suspicious email and attachments containing malware, Lucci says. Additionally users also need to be kept in the loop about evolving threats, she says.
"One of the best ways to keep your workforce informed is to make it real. Sharing current examples that have happened in healthcare is far more valuable than just stating the issue along with the consequences. It brings the situation into focus."