What Happens After a HIPAA Entity is Breached?

For healthcare organizations and local governments, there’s nothing more disastrous than having your records stolen. Why? Because cybercriminals can wreak havoc with electronic health records and Protected Health Information (PHI) – selling them on the dark web to others who will impersonate your clients to:

  • Get access to medical services
  • Obtain prescription drugs illegally
  • Break into their bank accounts
  • Blackmail them with sensitive personal details
  • Open credit card accounts
  • And much more

So, let’s look at a real-life case of a healthcare organization that is also a local government being breached and what happened afterwards. Keep in mind, the purpose of this real-life case is to highlight the importance of prevention, and when necessary, proper response protocol to ensure the above situation doesn’t happen to you.

It’s March 2017 and an Ohio County Board of Developmental Disabilities contacted us during a ransomware attack…

The County Board, who was not our client at the time, had assumed they were in good standing in terms of their technology and security – all their equipment was under warranty, they had backups, and systems were generally kept up to date. However, their systems weren’t being monitored and maintained on a regular basis to keep them from being vulnerable to an attack. Also, their staff wasn’t being regularly trained on cyberthreats designed to expose vulnerabilities. Then, it happened! A ransomware attack with a demanded ransom of $14,000 to be specific. On the recommendation of their state-wide organization, Ohio Association of County Boards (OACB) and one of our existing County Board clients, they contacted us right away, along with their cyber insurance company.

How common is a situation like this?

Statistics show that 88% of healthcare organizations have experienced a data breach in the past 2 years. This is an incredibly common situation.

So, what did we do to help them address it?

We dispatched a Senior IT Consultant immediately. Our immediate action was to stop the infection from spreading, assess the extent of the damage, and develop a plan to safely get the organization operational again. Further compounding the issue, it was determined during the assessment their backups were also impacted by ransomware and they could not be used for recovery.

It was also determined their ePHI was encrypted and therefore a breach of PHI is automatically presumed to have occurred. This meant the applicable breach notification provisions would need to take place. A forensic image of the server was captured and sent to the cyber insurance company for assessment. Using the server event logs, we determined an unknown actor used a vendor account to access the server via Remote Desktop. We were also able to establish the variant of ransomware used in the attack.

How did we get rid of the ransomware infection?

The County Board was very lucky! First, the Superintendent took the rights step in acting very quickly and contacting the right people to help address the unfortunate issue. Next, and this is where the bit of luck comes in, it turned out to be an old ransomware variant was used and a decryption tool was available. This is why working to determine the variant of ransomware, if possible, is so important to the process. It meant we were able to begin the decryption process within just eight (8) hours of us initially being notified of the incident. In the following days we were able to secure the server, recover the data, and get the County Board fully operational. We then began working with them on long term planning for how to strengthen their information technology (IT) security posture going forward.

Is it always possible to get rid of a ransomware infection?

We wish would could say it was, but what happened here isn’t always the case. As mentioned, a decryption tool was available. Not all forms of ransomware are this simple to remove. In fact, the FBI recently released a PSA on “high impact, more sophisticated” ransomware being on the rise. There have been many businesses forced to shut their doors because the ransomware infection within their network was too sophisticated to remove and they couldn’t afford to pay the ransom. When it comes to governments, they are either forced to find a solution, limping along as they do, some even grinded to a halt, or give in and pay the demanded ransom.

What is the state of IT at this County Board now?

The County Board decided they could no longer go it alone and needed to engage a professional Managed Service Provider (MSP) experience in HIPAA Compliance to ensure their reliability and security regarding their information technology. Due to our effective response in their time of need, the recommendation of other entities like them, and the fact we focus solely on developmental disabilities organizations, we were the chosen partner with our Managed IT for DD Service. Since being engaged, our team has taken numerous corrective actions for this County Board since the breach, including the following:

  • Monitoring and maintaining their information technology on a regular basis
  • Auditing all user accounts and remoing unnecessary/outdated accounts
  • Decommissioning the affected server and migrating to a private cloud solution
  • Implementing password policies in active directory and line of business applications
  • Upgrading to a managed antivirus solution monitored by our team
  • Enforcing “principal of least privilege” wherein users can only access what’s necessary
  • Installing various technical safeguards to prevent and detect ransomware infections
  • Software restriction policies
  • File system resource manager policies
  • And more

Due to the extent and nature of the incident, the best path forward was to decommission their current on-premises server environment and move to a clean environment hosted in The GO Concepts Private Cloud, which is in our on-premise Datacenter. This completely new environment removed the risk of any undetected lingering threat from the breach and allowed our best practices to be fully implemented. Ongoing staff training was also implemented as part of a multi-layered defense in depth approach to protecting the network, staff, and vital data.

The results…

Since the breach, the engagement of our Managed IT for DD Service and the deployment of the new Virtual Datacenter environment, they have undergone HIPAA assessments AND audits by a 3rd party professional firm, which is Ohio’s leading company in this area. We are happy to report, both they and us have passed with flying colors every time!

Let us get your County Board or DD-related organization / business prepared to defend against sophisticated cyberthreats. Contact us.