HIPAA Data Breach Answers from an Expert

Q&A With Gillware Forensics Investigator Nathan Little

Will Ascenzo is a blogger, copywriter, and technical writer for Gillware Data Recovery and Gillware Digital Forensics.

With how prevalent data breaches are in the news cycle now, data breaches seem to be every big business’ bête noire. Most at risk of data breaches and cyber attacks are organizations in the financial industry and healthcare industry. Due to the sensitivity of the healthcare data and HIPAA regulations regarding the unauthorized access to and disclosure of protected healthcare information, the threat of data breaches presents a particular problem to HIPAA-covered entities and business associates of all shapes and sizes.

Nathan Little, Director of Gillware Digital Forensics’ incident response team, constantly assists clients in the healthcare industry who believe they may have suffered breaches of ePHI. Many HIPAA data breaches are the result of internal accidents, but a growing number of breaches happen due to third-party network hacking and social engineering by cybercriminals, just like the kinds of breaches that have befallen Equifax, Uber, and countless other victims.

Nathan and I sat down and compiled some of the most common and interesting questions he’s received from clients in need of breach investigations who worry PHI on their servers has been put at risk. The three questions selected and Nathan’s answers appear below:

Q: Why is HIPAA protected data so valuable on the dark web?

A: On the dark web, medical records of a person can sell for anywhere from $50 to $100 per individual. This is nearly 100 times what a stolen credit card number commonly sells for. This high price tag on the dark web is the motivation for attackers to attempt to collect ePHI.

But why do the records sell for so much higher on the dark web than credit card numbers? This is because medical records typically contain the name, phone number, address, social security or other identification numbers, insurance policy numbers, etc. of the person in question. This information is considered full information about a person, commonly referred to as “fullz” on the dark web. This information, rather than a credit card number, is difficult to change. Malicious people can buy these identities and use them as their own, open new credit cards, submit fraudulent insurance claims to collect insurance payments, create fraudulent medical appointments to get prescription drugs to later resell and do anything else in the world they can come up with.

Q: What’s the most common type of HIPAA data breach that you currently see?

A: The most common type of data breaches that we see the exploitation of Remote Desktop Protocol (RDP) access. RDP is commonly used to make it easy and convenient for an organization’s employees to work from home and abroad, but insufficiently-protected RDP access can lead to breaches. You can see me walk through a case study involving RDP access with Gillware Digital Forensics’ CEO Scott Holewinski in this video.

Sometimes hackers use spear phishing (Malicious emails specifically targeted at one individual or organization)  campaigns to trick employees into giving up their login credentials, but remote access credentials also abound on the dark web, selling for as little as just a few dollars. An attacker or group of attackers can go to the dark web and purchase credentials to use Windows RDP and access a specific business. On the dark web, the listing usually indicates whether or not the business stores medical records. Businesses that store medical records demand a higher price on the dark web due to the value ePHI can fetch on the black market.

Once credentials are purchased, the attacker gains remote access to the system and will typically steal data by uploading the data to a remote server or other remote destination. After the data is stolen, the attacker will often deploy ransomware or other malware as a way to cover their tracks, mask their initial infiltration, and squeeze every last dollar out of the victim. Often times, the attacker that steals the data is different from the attacker that deploys the ransomware.

Q: Is falling victim to a Ransomware attack considered a HIPAA data breach that requires notification?

A: A ransomware attack is certainly a security incident that needs to be investigated, and you should always assume that a security incident is a breach until proven otherwise for your own safety (and so you can sigh in relief if you’re wrong). But whether or not a ransomware attack automatically qualifies, unequivocally, as a data breach is actually a difficult question with a little bit of a gray area. Fortunately, the answer to this question is “not always,” although some people might tell you otherwise.

The short answer is that a HIPAA protected entity that falls victim to a ransomware attack or another malware attack should call their lawyer and a digital forensics/incident response firm right away to get to the bottom of the incident and see what really happened.

The answer to this question could take up many pages, but here’s a little summary. There two very broad categories of ransomware and other malware incidents, one of which is much more likely to qualify as a breach of ePHI than the other.

An actual human has access to your computer systems

In this situation, an attacker has remote access (or sometimes even physical access) to your systems. They can view files, install malicious software, and steal data as they see fit. The security incident is a HIPAA data breach if the malicious actor viewed ePHI data, if the attacker exfiltrated data by manually uploading the ePHI data, or if there was malware installed that was designed to steal data. Digital Forensics and Incident response firms can make this determination based on the forensics artifacts on the computer. Often times, the set of data included in a breach notification can be limited based on the evidence of the attack. This type of attack is often a data breach, but the majority of times only some of the data in the organization is compromised, and not necessarily the ePHI which would make the incident a breach.

Malware/Ransomware is distributed through a malicious email, malicious downloads, or other automated methods

This is a more automated process where ransomware or other malware is distributed through infected attachments. Sometimes, this malware is of a type that would allow a malicious person to remotely access the system, which puts us back into the “actual human” category above. Other times, this malware is only ransomware or crypto-jacking (malware designed to use your computer resources to mine cryptocurrency) not designed to steal ePHI data, rather than malware that is specifically designed to steal data. In this case, an investigation can be done to make the determination if ePHI was compromised or not. In many cases, this type of attack does not turn out to be a data breach at all and just a security incident that needs reporting.

A survey conducted in 2017 by The Hartford Steam Boiler Inspection and Insurance Company (HSB) found that in the past year, almost one-third of all businesses surveyed had experienced data breaches. No business, inside or outside the medical industry, doesn’t have a target on its back. Even the most prepared of us can fall victim (and probably will, sooner or later), so having an incident response team ready to go when the worst comes to pass and the stuff hits the fan is paramount.