Ransomware attacks are among the most serious and prevalent threats for data. Ransomware is best understood as a type of malicious software that intends to either publish of block access to information until a “ransom” is paid. While ransomware attacks have increased in complexity, and the ability to reverse them along with it, encrypting files and making them inaccessible until the ransom payment provides real problems for organizations that store massive amounts of personal data.
One of the latest attacks was on Rochester-based (Minnesota) Associates in Psychiatry and Psychology (APP) on March 31, 2018. The ransomware attack affected patient information for 6,546 individuals; thus far, it appears that the information was not in a “human-readable” format and that the protected health information wasn’t accessed or copied by the attackers.
Ransomware attacks like this speak to the need for information governance and vital records programs. While there isn’t an exhaustive list of information potentially accessed, it likely included:
- Social Security numbers
- Insurance information
- Treatment records
APP had a prompt response to the attack, taking their systems offline. Doing so in a timely manner likely stopped the spread of the attack and limited possible encryption of personal data and data theft, completing the “ransom” aspect of the ransomware attack.
APP, in a Q&A regarding the incident, reported that it was a “Triple-M” ransomware attack. This variation uses the RSA-2048 encryption protocol, which utilizes long keys in order to encrypt the data. A ransom was paid, as the backups with the restore files couldn’t be accessed based on the attack. The initial ransom demand of 4 Bitcoin ($30,000) was not paid and instead negotiated down to .5 BTC ($3800). With the systems and data now restored, APP has installed additional layers of security as well as new remote-access policies.
Ransomware attacks are not unique, even within the healthcare sector. What is fascinating about this attack is the amount of information shared with affected patients and the openness with which APP talked about the breach. Most breaches go unnoticed in the public eye because very little information is shared with the general public, even those directly affected, especially if the data wasn’t accessed or copied. APP’s transparency provides affected parties the ability to understand how the breach affects them and what they can do to protect themselves.
Other organizations should stand up and take notice: APP’s response should become the standard.