Orthopedic Clinic in Houston Tight-Lipped About Malware Attack Details
A Texas orthopedic practice says a recent malware attack “permanently damaged” thousands of electronic patient records. It’s the latest in a string of healthcare incidents in which various forms of malware rendered records inaccessible.
In a statement posted on its website, Houston-based Fondren Orthopedic Group says a malware incident that occurred on Nov. 21, 2019, affected “certain parts” of the practice’s information systems.
The group practice says the malware attack “damaged” some of the medical records in its systems, affecting current and former patients of one of its physicians, K. Mathew Warnock, M.D.
Patient data contained in the damaged records includes name, address, phone number, diagnosis and treatment information, and health insurance information. “In order to ensure the highest quality of care, affected patients will need to prepare new patient forms, including medical history, if they visit Dr. Warnock in the future,” the statement says.
“While there is no evidence that the privacy of patient medical records was affected, as a result of this malware incident, some of the records within Fondren’s system were permanently damaged and are no longer available for use,” according to the statement.
The Department of Health and Human Services’ HIPAA Breach Reporting website shows that Fondren Orthopedic Group reported the incident on Jan. 17 as a hacking/IT incident affecting more than 30,000 individuals.
Commonly called the “wall of shame,” the website lists health data breaches impacting 500 or more individuals.
In its statement, Fondren Orthopedic Group does not specify whether ransomware was involved in the incident. The group practice did not immediately respond to Information Security Media Group’s request additional information, including the malware involved and how it defined “damage” to data.
Several other healthcare entities have reported malware incidents in recent months that left records inaccessible. In at least two of those cases, the healthcare providers chose to permanently shut down their businesses as a result.
“Viruses and/or malicious code can alter programs or get a program to stop functioning, alter or delete data files, reformat hard drives and slow down the operation of a computer to the point where it is no longer usable.”
—Tom Walsh, tw-Security
For example, Wood Ranch Medical, a California-based clinic, closed its business because it couldn’t recover patients records after a ransomware attack.
Also, Brookside ENT and Hearing Services, a two-doctor practice in Michigan, last year announced it was permanently shutting down in the aftermath of a ransomware attack. The practice said it lost access to patient medical records, billing, scheduling and other critical data after attackers encrypted the data. Rather than pay a ransom to get a decryption key or attempt to restore the data, the physicians decided to retire.
But it’s not just ransomware attacks that can destroy data or render it inaccessible.
“Computer viruses and other forms of malicious code have been around long before ransomware,” says Tom Walsh, president of consulting firm tw-Security. “Viruses and/or malicious code can alter programs or get a program to stop functioning, alter or delete data files, reformat hard drives and slow down the operation of a computer to the point where it is no longer usable.”
One of the most damaging forms of malicious software is a wiper attack, “whose sole purpose is to destroy the data on infected system hard drives, thus ‘wiping’ it away,” notes Rich Curtiss, director of healthcare and life sciences at security risk consulting firm Coalfire.
“Wiper attacks, much like ransomware attacks, have multiple variants and can disguise themselves as a ‘ransomware’ attack,” he says. “NotPetya is the most notorious of the Wiper malware attacks, which was disguised as a ransomware attack. This clouded the true intent of the malware so that incident response was delayed enough to cause impacts on a massive and international scale.”
What to Do
In certain cases, companies that provide data recovery services may be able to restore deleted data, notes Keith Fricke, principal consultant at tw-Security.
“These services may be covered by a cyber insurance policy; consulting the insurance carrier or broker is the best way to know where the boundaries of coverage lie,” he adds.
But what steps can entities take to help ensure their data is not permanently lost or damaged in a malware attack?
“Backups are a recovery control and the last line of defense,” Walsh says. “Many organizations have backups. What they lack is a well-defined, written data backup plan or strategy. That strategy should include a process for preventing malware from corrupting the backups.”
George Jackson Jr., senior principal associate at security and privacy consulting firm Clearwater, advises organizations to consider multiple backups stored in different off-site locations. “It is also important to have backup systems on an isolated network segment that monitors for rogue activity design to compromise data backups,” he adds.
A layered security approach is still an essential strategy, he notes. “Layered security includes not only perimeter security but also intrusion detection and intrusion prevention strategies,” he says. “Another key to protecting organizations against these types of cyberattacks includes ongoing file integrity monitoring to detect and respond to anomalies in as near to real-time as possible.”
Disaster Recovery Plans
Organizations need a well-developed and frequently tested business continuity and disaster recovery strategy based on a formal business impact analysis, Curtiss says. “The BIA will ensure that back-ups are aligned with a recovery time objective and a recovery point objective,” he says.
“A RTO [recovery time objective] mission is to categorize applications and/or data by priority to determine the architecture, priority of restoral and frequency of back-up. The RPO [recovery point objective] mission is to determine how much data loss from an outage can an organization sustain before the business incurs a significant impact. Both of these measures should drive the back-up architecture, priority of restoration and frequency of back-ups.”
Fricke suggests that system administrators create two accounts in computer systems – one for everyday use, such as to access email, and a second with escalated privileges necessary to perform system administrator duties.
“Malware often exploits the user credentials logged into a workstation or software application at the time of infection,” he says. “Malware designed to destroy data is more likely to achieve that goal if it compromises an account with elevated privileges.”