[BreachExchange] Malware Attack 'Damages' Patient Records

[Destry Winant]

https://www.databreachtoday.com/malware-attack-damages-patient-records-a-13690

A Texas orthopedic practice says a recent malware attack "permanently
damaged" thousands of electronic patient records. It's the latest in a
string of healthcare incidents in which various forms of malware
rendered records inaccessible.

In a statement posted on its website, Houston-based Fondren Orthopedic
Group says a malware incident that occurred on Nov. 21, 2019, affected
"certain parts" of the practice's information systems.

The group practice says the malware attack "damaged" some of the
medical records in its systems, affecting current and former patients
of one of its physicians, K. Mathew Warnock, M.D.

Patient data contained in the damaged records includes name, address,
phone number, diagnosis and treatment information, and health
insurance information. "In order to ensure the highest quality of
care, affected patients will need to prepare new patient forms,
including medical history, if they visit Dr. Warnock in the future,"
the statement says.

"While there is no evidence that the privacy of patient medical
records was affected, as a result of this malware incident, some of
the records within Fondren's system were permanently damaged and are
no longer available for use," according to the statement.

The Department of Health and Human Services' HIPAA Breach Reporting
website shows that Fondren Orthopedic Group reported the incident on
Jan. 17 as a hacking/IT incident affecting more than 30,000
individuals.

Commonly called the "wall of shame," the website lists health data
breaches impacting 500 or more individuals.

In its statement, Fondren Orthopedic Group does not specify whether
ransomware was involved in the incident. The group practice did not
immediately respond to Information Security Media Group's request
additional information, including the malware involved and how it
defined "damage" to data.

Other Cases

Several other healthcare entities have reported malware incidents in
recent months that left records inaccessible. In at least two of those
cases, the healthcare providers chose to permanently shut down their
businesses as a result.

"Viruses and/or malicious code can alter programs or get a program to
stop functioning, alter or delete data files, reformat hard drives and
slow down the operation of a computer to the point where it is no
longer usable."
—Tom Walsh, tw-Security

For example, Wood Ranch Medical, a California-based clinic, closed its
business because it couldn't recover patients records after a
ransomware attack.

Also, Brookside ENT and Hearing Services, a two-doctor practice in
Michigan, last year announced it was permanently shutting down in the
aftermath of a ransomware attack. The practice said it lost access to
patient medical records, billing, scheduling and other critical data
after attackers encrypted the data. Rather than pay a ransom to get a
decryption key or attempt to restore the data, the physicians decided
to retire.

Destructive Malware

But it's not just ransomware attacks that can destroy data or render
it inaccessible.

"Computer viruses and other forms of malicious code have been around
long before ransomware," says Tom Walsh, president of consulting firm
tw-Security. "Viruses and/or malicious code can alter programs or get
a program to stop functioning, alter or delete data files, reformat
hard drives and slow down the operation of a computer to the point
where it is no longer usable."

One of the most damaging forms of malicious software is a wiper
attack, "whose sole purpose is to destroy the data on infected system
hard drives, thus 'wiping' it away," notes Rich Curtiss, director of
healthcare and life sciences at security risk consulting firm
Coalfire.

"Wiper attacks, much like ransomware attacks, have multiple variants
and can disguise themselves as a 'ransomware' attack," he says.
"NotPetya is the most notorious of the Wiper malware attacks, which
was disguised as a ransomware attack. This clouded the true intent of
the malware so that incident response was delayed enough to cause
impacts on a massive and international scale."

What to Do

In certain cases, companies that provide data recovery services may be
able to restore deleted data, notes Keith Fricke, principal consultant
at tw-Security.

"These services may be covered by a cyber insurance policy; consulting
the insurance carrier or broker is the best way to know where the
boundaries of coverage lie," he adds.

But what steps can entities take to help ensure their data is not
permanently lost or damaged in a malware attack?

"Backups are a recovery control and the last line of defense," Walsh
says. "Many organizations have backups. What they lack is a
well-defined, written data backup plan or strategy. That strategy
should include a process for preventing malware from corrupting the
backups."

George Jackson Jr., senior principal consultant at security and
privacy consulting firm Clearwater, advises organizations to consider
multiple backups stored in different off-site locations. "It is also
important to have backup systems on an isolated network segment that
monitors for rogue activity designed to compromise data backups," he
adds.

A layered security approach is still an essential strategy, he notes.
"Layered security includes not only perimeter security but also
intrusion detection and intrusion prevention strategies," he says.
"Another key to protecting organizations against these types of
cyberattacks includes ongoing file integrity monitoring to detect and
respond to anomalies in as near to real-time as possible."

Disaster Recovery Plans

Organizations need a well-developed and frequently tested business
continuity and disaster recovery strategy based on a formal business
impact analysis, Curtiss says. "The BIA will ensure that back-ups are
aligned with a recovery time objective and a recovery point
objective," he says.

"A RTO [recovery time objective] mission is to categorize applications
and/or data by priority to determine the architecture, priority of
restoral and frequency of back-up. The RPO [recovery point objective]
mission is to determine how much data loss from an outage can an
organization sustain before the business incurs a significant impact.
Both of these measures should drive the back-up architecture, priority
of restoration and frequency of back-ups."

Fricke suggests that system administrators create two accounts in
computer systems - one for everyday use, such as to access email, and
a second with escalated privileges necessary to perform system
administrator duties.

"Malware often exploits the user credentials logged into a workstation
or software application at the time of infection," he says. "Malware
designed to destroy data is more likely to achieve that goal if it
compromises an account with elevated privileges."