Malware, Killware, and the Heart of HIPAA Compliant Hosting
By Stephen Trout, , HIPAA Blog, HIPAA Hosting, Resources, Security, Uncategorized

The tests came back, and the news is serious.  

It’s true, what they say: you don’t think about your heart too much – humming away inside your chest, nearly 100, 000 beats per day – until there’s a problem. 

Lately, though, you’ve felt like you’re not running on all cylinders; tired all the time, shortness of breath. And that sharp pain radiating down your arm and the squeezing feeling in your chest you woke up with is a bit alarming. 

So now you’re on your way to the emergency room, life flashing before your eyes. Is this the end? you wonder. If only I’d loved people better, spent more time with them… 

Like Scrooge on Christmas eve, you see yourself staring at your own grave. You shoot up prayers and promises for a transformed heart (literally):  

“I will honour Christmas in my heart, and try to keep it all the year. I will live in the Past, the Present, and the Future. The Spirits of all Three shall strive within me. I will not shut out the lessons that they teach.”

You finally make it to the ER (“Whew, I’m still here!”) and watch as the doctor tries to pull up the record of your recent echocardiogram. Oddly, you see her smile turn to a frown. 

“What’s wrong?” you gasp. 

“I can’t access our system!” she exclaims.

You peek over her shoulder and your ailing heart races. No, it’s not the Spirit of Christmas Future, but it might as well be: 

Sound dramatic? Think it couldn’t happen to you, or someone you love? 

Think again. 

In September of 2019, this was reality for Campbell County Health in northeast Wyoming – and we could list numerous other examples. 

For Campbell, emergency services were shut down for 8 hours (imagine if you were in the throes of a heart attack); patients had to be transferred to the next closest hospital – 70 miles away.

A systemwide outage of their computers from the ransomware attack  – impacting the main hospital and 20 clinics – also rendered them unable to admit new patients. Surgeries were postponed, labs closed. Normalcy didn’t resume until 17 days later. 

How serious is this?

According to recent studies, a malware infection (like ransomware) may cause: 

“36 additional deaths per 10,000 heart attacks that occurred annually at the hundreds of hospitals examined. Given that every year about 805,000 Americans have a heart attack, that can mean an additional 2,800 additional deaths nationwide.” 

The same study showed that the time for a patient to receive an electrocardiogram after a data breach is increased by as much as 2.7 minutes. 

What’s the takeaway for any kind of emergency remediation? “Time is of the essence, period.”

Then again, “the best way to respond to a cyber attack is to prevent it in the first place.”

The New Killware

Locking up a hospital system for a ransom proves some threat actors are willing to sacrifice lives (though they may be blind to the extent) to get what they want. Yet the next evolution of cyberattacks – chillingly known as Killware – shows that some will go even further.

We saw it with the Colonial Pipeline attack (via a single, compromised password); we saw it again this past February when malicious actors attempted to increase the level of lye in the water supply of a Florida water treatment facility. Three similar attacks have been noted in 2021 by DHS.

More direct than traditional ransomware, Killware works on fear; it’s a clear demonstration of willingness to harm or even kill people for a payout. Even if the malicious actors don’t intend to follow through with their threat, they show that they can, by weaponizing a system. For healthcare, that includes tampering with medical devices and IoT.

What You Can Do

Whether you’re a large healthcare system or a small practice, there are core security fundamentals you must insist on to protect your patients. Start by leveraging proven, HIPAA compliant hosting services with managed security like: 

  • scanning for vulnerabilities, and mitigating those found
  • patching and updating systems to reduce attack exposure 
  • regularly backing up data 
  • using a compliant email solution to encrypt ePHI
  • implementing two-factor authentication 
  • deploying access management systems, etc. 

“Many of these measures have traditionally been seen as challenging for clinical healthcare environments to adopt, but the reality is that without them, hospitals are effectively sitting ducks for attackers,” notes Jen Ellis, co-chair of the Institute for Security and Technology’s Ransomware Task Force.

“Ransomware attackers have also broadened the ways in which they attempt to infiltrate organizations they intend to ransom, and try to take advantage of weak configurations in remote access components such as Microsoft Remote Desktop Protocol, Citrix and virtual private network gateways,” she notes.

When it comes to mitigation of any issue that could cause delays or downtime – as Campbell and others have experienced – it’s clear that time is of the essence. Every second truly does count.

That’s why HIPAA Vault’s commitment to you, 24/7/365, is first-call resolution. We also maintain less than 15-minute response times to your support requests because high availability of data and system uptime is critical. 

In other words, our trusted cloud experts are in your corner. We’d like you to think of us as an extension of your company. 

The Heart of HIPAA Hosting

HIPAA Vault realizes that what’s at stake in cybersecurity – your patient’s welfare – is the heart of the matter. Protecting them – and your business – is at the heart of what we do, every day.

We’re committed to listening, growing with you, and staying flexible enough to customize solutions that best meet your needs. We have the proven expertise to handle your security on the infrastructure side, while saving you money on IT expenses such as monitoring, capital equipment purchases, and maintenance.

This will go far to protect your vital systems and preserve sensitive data… and maybe even your heart.

HIPAA Vault is a leading provider of HIPAA compliant solutions, including HIPAA WordPress, email, faxing, and drive. We enable healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities, and keep them doing what they do best – saving lives!

Contact us at 760–290–3460 or www.hipaavault.com.