Assessing Data Breach Severity: Ransomware Attack at a Hospital

Read the first three articles in this series: Hurricane Data Breach: Assessing Severity in the Eye of the Storm, Assessing Data Breach Severity: Employee Downloading Malware, and Assessing Breach Severity: Third-Party Incident Exposes Credit Card Data

Ransomware attacks have rapidly become associated with healthcare data breaches—and for good reason. According to Solutionary’s Security Engineering Research Team Quarterly Threat Intelligence Report for the second quarter of 2016, 88 percent of all detected ransomware occurred among the firm’s healthcare clients.

Healthcare data breaches are far more dangerous to victims than other breaches. The health risks from medical identity theft can be fatal. But ransomware causes more immediate dangers. It essentially holds computer systems and data hostage until a ransom is paid, which can disrupt patient care.

If your healthcare organization is the victim of a ransomware attack, would you know how to respond?

The Three Degrees of Breach Severity

In the first article in this series, I discussed how assessing the severity of a potential data breach can help you and your data breach partner plan a response that best meets the needs of your organization and affected individuals. Data breach severity can be categorized into one of three categories: low, medium, and high. (Please note that this classification refers to confirmed breaches that require notification under law, and is not an analysis for determining if an incident is a reportable breach.)

The following elements of a breach are the basis of a breach severity assessment:

• The type of data breached
• The cause of the incident
• The nature of the breached population

The Assessment

Using the three criteria, we can assess the severity of a hypothetical ransomware attack. In this scenario, hackers broke in and locked access to a large hospital’s electronic medical record (EMR) system, blocking the exchange of patient information. The hackers used malware to encrypt the data and demanded that the hospital pay a ransom for the decryption key necessary to unlock the data.

• The type of data breached: Medical records contain sensitive medical, personal, and financial information—PII, PHI, PCI—and is subject to breach notification and other regulations. There are severe financial, health, and reputational risks from compromised health data. In addition, patient privacy laws can hinder a patient’s ability to clean up their medical record. Thus, this element would be classified as high.
• The cause of the incident: The ransomware was a malicious attack by criminals demanding payment. Even though the hackers may not have actually viewed or used the data, the attack put patient and employee well-being at risk by preventing access to the EMR system. It also highlighted security weaknesses within the hospital’s network. For these reasons, this element would also be classified as high.
• The nature of the breached population: Affected individuals are patients and employees, which likely include unique populations such as the elderly, children, and non-English speakers. Given their vulnerability as well as the high level of trust between patient and caregiver, this element would be classified as high, as well.

Overall Level of Severity: Three highs classify the overall severity of this breach as high.

Mapping Out a Response

The hospital’s response would include the following:

Notification: Under HIPAA (see the government’s recent guidance on ransomware and breach notification) and other relevant state and federal laws, breach notification would be required. The hospital may also consider email and social media communications in addition to the formal notification letters. All of these communications should include:

• Details of the breach;
• What information was compromised;
• Actions to remediate the breach and prevent future attacks;
• And actions patients and/or employees can take to protect themselves against identity theft.

Call center/website: Affected individuals will want a place to call for questions and/or to enroll in identity protection services. Since medical and financial information was involved and the breach was well-publicized in the media, the hospital can expect higher-than-normal call rates: 6-8 percent.

Identity protection: This should be based on the type of data that was breached as well as whose data was affected. Credit monitoring doesn’t provide adequate protection when healthcare information is compromised. The hospital will want to offer medical identity monitoring and dark Web monitoring to ensure complete protection. Dark Web monitoring scans for the online buying, selling, or trading of financial or medical data. In addition, the hospital may consider offering reimbursement insurance and fully-managed recovery for victims of identity theft. Enrollment rates will likely be higher than normal, and will mirror call center rates.

When the Customer Is First, Everyone Wins

When faced with a ransomware attack or other breach, what is your criteria for response? Do you follow a compliance checklist to ensure your organization is safe from regulatory inquiries, or do you look at it from the perspective of the breach victim? This may seem like an obvious question, but it’s an important one to ask. As Forrester researchers have pointed out, “ultimately, [a company-first approach] will cost your business more in terms of lost customers and thus, lost revenue and growth.” On the other hand, a customer-first approach to response will also ensure your organization’s well-being—no matter how severe your breach.