Baton Rouge General Health System (GHS) recently confirmed a data breach in its computer system. They operate 20 clinics and medical facilities in the Baton Rouge area and are a Mayo Clinic care network member.
Unfortunately, this isn’t the first (and won’t be the last) healthcare organization to become a cyberattack victim.
The U.S. is experiencing a crisis of attacks on healthcare-covered entities and their business associates. IBM’s 2022 Cost of a Data Breach Report says healthcare data breaches spiked by almost $1 million per event to reach a record high of $10.1 million.
Email security must be a top priority to safeguard healthcare organizations, their patients, and their protected health information (PHI), And to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email.
Healthcare organizations that don’t try harder will face the same issues that GHS currently battles.
What initially happened?
On June 29, a local, Baton Rouge news station issued a statement from GHS about a recent hack.
[GHS] is working through the effects of a cyber attack that began Tuesday. First, and most importantly, the attack has not changed our ability to care for patients. . . . The only thing that’s a little different today . . . is that we’re temporarily charting the old-fashioned way – on paper – until we can safely bring our electronic medical record and other patient systems back online.
Two months later, GHS confirmed the unauthorized access on its website. The system became aware of suspicious activity on June 28 and immediately launched an inquiry.
The investigation revealed that someone unlawfully accessed certain directories within its network between June 24 and 29. And that the threat actor could access certain directories. Given this, GHS is now undertaking a comprehensive review to determine what PHI and which patients the breach affected. Once complete, it will notify those impacted via mailed notification letters.
There is no information about the breach on the Office for Civil Rights’ (OCR) Breach Portal website. The health system did not confirm the type of data breach, or the PHI accessed.
Follow-up: a possible ransomware attack at Baton Rouge General
By July 1, before GHS’ notice, word circulated that the health system was hit by ransomware. Ransomware is malicious software that holds data hostage until someone pays a ransom to release it.
A copy of the ransom note pointed to the Hive group though the threat group did not confirm the information. Last year, the FBI released a flash alert about Hive ransomware. The malware typically enters a system through phishing emails or leveraged RDP (remote desktop protocol).
Once in a system, the threat actors exfiltrate and encrypt data then send a ransom note. Interestingly, GHS data has not shown up on Hive’s website, which could mean that GHS:
- Paid the ransom
- Are negotiating the ransom
- Were given more time
GHS did not respond to inquiries but did release its online notice after this information was released. Since then, further reports suggest that Hive did post some of the exfiltrated data on its website. PHI exfiltrated may include court-related documentation, billing, employee health records, and patient demographic and medical information.
Costs of breach at Baton Rouge General
According to ransomware experts, ransomware recovery is a lengthy, complex process with huge expenses from lost time to lost opportunities. As we wait for more information from Baton Rouge General, we’ve already seen some of the costs of its ransomware attack. First, GHS announced and moved quickly to a paper EHR (electronic health records) system.
Soon after, there were reports that GHS experienced interruption and downtime. The health system sent some patients to other locations. Furthermore, it seems that some EHR were permanently lost. But this is not where ransomware (and more than likely GHS’) costs end.
To add to these immediate losses are possible exorbitant monetary expenses:
- Ransom (if paid)
- Recovery and decryption fees
- Cybersecurity additions and alterations
GHS may also have to deal with a HIPAA violation as well as an OCR investigation and fine. Finally, something we’ve seen a lot of recently, angry patients may file lawsuits given the breach of trust. In fact, patients of Ohio’s Memorial Health System recently filed after a Hive ransomware attack.
Ransomware and healthcare
This attack is just one of many recent attacks against large hospitals or healthcare networks. According to the U.S. Health & Human Services (HHS), attacks in the first five months of 2022 nearly doubled from the same period last year.
Cybercriminals target the healthcare industry with its rich PHI. And given the tired, stressed staff in most healthcare organizations, they know that an email scheme more than likely works.
In April 2022, HHS even released an analyst note about the Hive group. Within, HHS states:
Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.
Knowing how to protect and what to protect as well as what to protect against is vital.
Keep patient PHI safe
First, the FBI and all governmental institutions strongly discourage organizations from paying a ransom. While we don’t know if GHS paid, we know that paying is not smart business. Doing so may lead the hackers to attack more organizations and incentivize other cybercriminals to engage in these activities. Furthermore, paying a ransom does not always guarantee a full recovery of data.
Rather than deal with the costs of a cyberattack, organizations must ensure strong cybersecurity and HIPAA compliance. This includes various elements but one of the most important is up-to-date employee awareness training.
But training is not enough on its own as human error is inevitable. Therefore, a cybersecurity program must incorporate layers of protection. Security measures should include:
- Access controls (e.g., multi-factor authentication)
- Offline backup
- DLP (data loss prevention)
- Data encryption
- Endpoint security
- Monitoring/responding procedures
And given the continuous use of phishing in ransomware attacks strong cybersecurity means a solid email security program.
Paubox Email Suite: proactive approach to email security
Every healthcare organization needs to implement HIPAA compliant email security. Built to seamlessly integrate with your current email platform, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outgoing communication.
Messages go straight to patients’ inboxes, with no unnecessary passwords or portals to navigate. PHI stays contained, and email, though considered the worst threat vector, remains secured.
Even better are our inbox protections. Our HIPAA compliant, HITRUST CSF certified solution impedes such techniques as spoofing with ExecProtect and keeps malware and phishing emails at bay with Zero Trust Email.
Healthcare organizations must always be vigilant and take the extra time to implement and update their cybersecurity. We still do not know what happened to GHS but will more than likely use this data breach as a teachable moment.
Ransomware can be stopped before a situation becomes dire when healthcare organizations utilize smart cybersecurity measures like HIPAA compliant email.
HITRUST CSF certified
4.9/5.0 on the G2 Grid
Paubox secures 70 million HIPAA compliant emails every month.