EHR Encryption Attack: Please, NOT the Start of a Trend!

This, reported by Bloomberg a few days ago, should scare you:
Hackers Steal, Encrypt Health Records and Hold Data for Ransom:

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, located in the affluent northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored.

But unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

This is, of course, a Bad Thing. HIPAA requires Covered Entities (and with the HITECH revisions will soon most likely require Business Associates and Subcontractors) to protect the “confidentiality, integrity and availability” of PHI. Certainly this is an integrity loss, and while it may not be as apparent it must also be a confidentiality loss as well – if the hackers have the key to encrypt and decrypt, they have access. Given that their motivations are obviously for-profit (and possibly malicious too), it’s not possible to say they didn’t misuse the information they could access. So it’s probably also a reportable security breach – and, in fact, this incident came to light in a breach report by the Covered Entity.

Worse than that, this seems like it could be the tip of an iceberg. Six or seven years ago there was an outbreak of this kind of extortion, against online gambling sites. It was a lucrative little business for a while, apparently. But the gambling sector figured out how to protect itself. Maybe the same people – or people who have learned from their experience – have decided to look for more vulnerable victims?

Maybe the healthcare sector should try to learn a thing or two from the gambling sector . . .

(h/t Jim Pyles, for starting a great discussion about this on the AHLA HITlist.)