Ransomware attacks on vendor disrupt services
by Kapua Iao
A series of April ransomware attacks on Elekta, a Swedish oncology and radiology systems provider, disrupted services to healthcare providers in the U.S. These organizations are still dealing with residual complications and issues. The Swedish company suffered ransomware attacks on its cloud-based systems.
Ransomware attacks on healthcare companies have risen over the past year. This is why it’s especially important to ensure you have a comprehensive email security plan, especially when it’s patient care and patient health at risk.
As a third-party vendor, Elekta is a business associate of covered entities worldwide. A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI).
RELATED: Is a Name PHI?
Elekta detected the first ransomware attack on April 6 and took immediate action to cut off the cyberattackers and notify its customers.
At the time, the breach affected two customers: LifeSpan in Rhode Island and Southcoast Health in Massachusetts. Both healthcare providers temporarily took their systems offline and canceled/rescheduled radiation treatment appointments for cancer patients.
Subsequent attacks occurred later in April, and Elekta took its U.S. cloud-based storage system offline on April 20.
Affected healthcare providers total around 170 and include Yale New Haven Health in Connecticut. The latter reports that it had to take its radiation machines offline and find other facilities for its cancer patients.
According to Elekta after the first data breach:
This appears to have been a ransomware attack intended to encrypt the data stored on this system. There is no evidence that any data were extracted or copied, and we do not believe that the hackers have any of the stored data in their possession.
In its latest statement, Elekta emphasized that it was working to investigate and mitigate the issue. There is no information on what (if any) PHI was encrypted.
The healthcare industry and ransomware attacks
Covered entities and their business associates must follow established HIPAA guidelines when using or disclosing PHI.
And it is the covered entity’s responsibility to ensure that its business associates provide the same necessary protection. This means ensuring that each business associate signs and adheres to a business associate agreement to ensure all vendors working with a covered entity follow HIPAA guidelines and provide strong cybersecurity against all attacks.
This is especially pertinent nowadays as ransomware attacks on the healthcare industry grow in number and frequency.
RELATED: HIPAA Breach Report for May 2021
Ransomware is malware (or malicious software) used to deny a victim access to a system until a ransom is paid. Such malware is normally delivered through phishing emails that can take advantage of tired or unaware staff, demanding money for the return of stolen data.
RELATED: To Pay or to Not Pay for Stolen Data
It can also be inserted into a computer system through any entry point or threat vector.
Unfortunately, some attacks have disastrous effects on healthcare organizations, beyond data loss and/or monetary damages. Ransomware attacks may hinder a hospital’s ability to deliver timely medical services. Patient care can pause, and a patient may even indirectly die.
In this case, the ransomware attack disrupted cancer treatments for numerous patients. And many of these patients worry about what could happen to them next.
Protect against known vulnerabilities
Investigations into this particular ransomware attack discovered that the threat actors used a known vulnerability within Elekta’s Citrix server to breach its cloud-based systems. A Citrix server lets companies deliver centrally hosted applications to clients.
RELATED: Is Citrix ShareFile HIPAA Compliant?
One of the latest vulnerabilities, CVE-2019-19781, allows a cyberattack to infect systems through gateways. Patches are currently available, but cyberattackers are looking for victims who have yet to update their systems.
It is unknown if this is the vulnerability used in Elekta’s breach. But what we do know is that the attackers hit Elekta’s Citrix server with a Cobalt Strike package, a penetration testing toolkit, used in several ransomware attacks in 2020.
Elekta is currently migrating its customers to a new Microsoft Azure cloud, but that doesn’t help cancer patients worried about their treatment right now. The attack could have been avoided if precautions and proper cybersecurity measures were securely in place.
Strong precautions and cybersecurity for peace of mind
It is important for anyone who handles PHI to ensure complete protection from the beginning. Not only for the organization but for all patients and their PHI.
Elekta and its healthcare providers learned this lesson the hard way, and a subsequent governmental investigation may even find that Elekta suffered a HIPAA violation along with a data breach.
RELATED: What to Do After You Violate HIPAA
Avoid the investigation and any subsequent fines by following a layered approach to cybersecurity that includes:
- Patched and updated systems and devices
- Secure gateways
- Access controls
- Employee awareness training
- Email security (i.e. HIPAA compliant email)
Guarantee that safeguards are in place before a ransomware attack cripples you. Protect yourself and your employees today so that you can continue to provide solid patient care.
And confirm that your business associates are doing the same. A healthcare provider is only as secure as its weakest link. That’s why you must stay on top of cybersecurity at all times.