More than 100 nursing homes were left vulnerable, without entry to patient medical records, after their data provider experienced a breach — an example of a threat that could become more widespread in an industry not known for technological advancement.
Virtual Care Provider Inc. (VCPI) last month was hit with a ransomware attack, a kind of breach in which malicious users take complete control of data and demand a significant amount of money to set it free again. In this case, the hackers requested $14 million, according to Krebs on Security, a data industry publication that first reported the breach.
This cyberattack resulted in a complete freeze on day-to-day functions, including electronic billing, medication ordering, payroll, internet, e-mail, phones, and more, chief executive officer Karen Christianson told Krebs on Security.
VCPI maintains almost 80,000 computers and servers for nursing homes across 45 states, according to the publication.
“VCPI was recently targeted by a highly sophisticated ransomware incident that has impacted a subset of our servers,” president Zachary Koch told SNN in an e-mail. “Upon learning of this incident, we immediately launched an internal investigation and retained independent cyber security experts to assist us in our investigation and remediation efforts. We take seriously our responsibility to protect the security and privacy of our customers’ data and are working diligently to restore these systems as quickly and safely as possible.”
The investigation remains ongoing, Koch said.
On the heels of this ransomware attack, Clyde Hewitt, an executive advisor at CynergisTek, a Texas-based health care cybersecurity company, offered several takeaways to help nursing homes protect and prepare for a breach on such a large scale — and what to do in the aftermath.
When a data firm such as VCPI has operations across the country, a data breach can bring a wide array of regulatory headaches on top of the initial security and operational concerns.
“If you look at their client base in 45 states, and if the ransomware touched all of the patient data, they’ve got 45 state attorneys general to deal with us, plus the Office for Civil Rights,” Hewitt said.
Hewitt has been a cybersecurity expert for more than 30 years, and works with clients who have been impacted by ransomware at all stages of a breach. Some companies also hire CynergisTek to proactively protect against potentially debilitating attacks.
Suggesting that these attacks continue to grow in sophistication, Hewitt laid out how ransomware events challenge patient safety, as well as affecting financial performance and facility operations.
Hospitals generally have been affected more than nursing homes — although any breach could set a facility back for months at a time with heavy financial burdens. For instance, Hewitt described a ransomware attack on a single organization within a multi-hospital system: After an initial two-week period without data, it took an additional three weeks to bring the entire system back online. In another case, a separate organization was hacked but back up in 18 hours — showing the broad continuum of time that it can take for a facility to get back on its feet.
“But you know, that’s only two data points out of literally hundreds and hundreds and hundreds of people that have been hacked by ransomware,” Hewitt said.
Between January 1 and September 30 of 2019, 491 health care organizations were affected by ransomware, according to Hewitt. In addition to traditional attacks on individual providers, hackers are increasingly targeting tech vendors and virtual care providers, as these firms control large amounts of data across multiple sites of care.
Based on typical cash flow in hospitals and other health care properties, interruptions to billing processes caused by ransomware attacks can halt incoming revenue for up to two months. Downtime forms must be transcribed into the electronic health record before claims can be submitted, which is part of the delay in reimbursements.
“A 500-bed hospital can expect a $50 million cash flow shortfall before they start to crawl back out of their cash flow deficit, which works out to be about $100,000 per bed,” Hewitt said.
Picking up the pieces
If the facility’s system is accessed by an unauthorized person or computer process, and any patient data was compromised, it becomes a reportable event federal regulations. Without unreasonable delay, or no later than 60 days from the point of discovery, the organization must notify all patients, Hewitt said.
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) must also be notified, and each state has its own breach reporting requirements — with most states having a reporting periods less than 60 days, Hewitt said.
In addition, the OCR notes that if patient data was accessed, it doesn’t necessarily have to be exfiltrated — or taken somewhere else — for it to be considered a breach.
The crime scene
Much like with a physical crime scene, it’s important for operators that have experienced a breach to preserve as much evidence as possible.
“If you get ransomware, hacked, or affected by malware, the tendency is to want to jump in and immediately fix it,” Hewitt said. “But by comparison, you have to think about the management and executives coming in, as if they’re coming into a crime scene — and it still has the criminal on site. So they can’t just go wiping away evidence and taking care of things and trying to fix and bring everything back up.”
Instead, experts need to determine whose data was accessed, as well as whether or not it was copied and taken elsewhere.
Then the level of vulnerability needs to be determined — particularly around the “windows and doors” that the criminals used to enter the system. These soft points need to be secured to keep other organization, or the same organization, from coming back in.
“That literally can take months and months or even years to fix,” Hewitt said.
Back to paper
Operating in a safe manner immediately post-beach is only partly technical — with the other task demanding strong executive leadership.
“When ransomware first hits, you have to assume that all computers and networks are down, which means you’re down to operating with paper, You’re back to your forms, pre-HIPAA, pre-computer days,” Hewitt said.
Under the concept of “cyber resilience,” an organization plans to operate without computers, and even though the focus in nursing homes is on patient care, it’s a lot harder to recover than an operator might imagine.
“What about the phone system? A lot of organizations have Internet Protocol phones rather than another telephone system with direct dial lines in and out. If the network goes down, the phone system goes down,” Hewitt said. “So now you’re down to cell phones. And organizations need to think, okay: Do I have all of my key staff’s personal cell phone, or corporate-issued cell phone number in my phone? Because I can’t get to it.”
The ability to conduct timekeeping, payroll, and supply-chain management functions throughout a breach situation is vital; if operators can’t determine the types of medications that residents need without the help of computers, it could cause life-threatening problems, he observed.
A cyber resilience plan is more of a business continuity plan, which is not a technology problem to solve, Hewitt warned. Organizations that depend on their own IT shop may be at risk depending on the expertise of their CIO or IT manager — if they have one at all.
Additional questions should include: What does the person on the help desk or designated IT person know about paper forms for a nurse or a physician’s patient treatment record.
“It’s not their job to know, and this information has to go back to the clinicians and the supply chain managers and the kitchen staff. They have to be able to operate using a paper environment,” Hewitt said.
Reimbursement loss, delays, unforeseen Costs
Even if a hypothetical facility is able to resume normal operations after two weeks, the staff had been working overtime and experiencing burnout, Hewitt noted.
“You don’t want them to immediately start working additional overtime to transcribe mountains of paper back into the system, so the team would start tackling it a little at a time,” he said.
When clinicians, nurses, and doctors log information in the electronic health record, it captures all of the procedures completely without much heavy lifting.
“But when it goes into paper forms, people start shortcutting, and they’re not documenting every little thing that they do because they are literally working overtime to try to get that done just to get it on paper. So when they transcribe it back into the electronic health record at some point weeks later, you’re going to have lost charge capture,” Hewitt said.
If staffers don’t write it on paper, it can’t be reimbursed, and if the systems were down for two weeks, the loss could be from 6% to 10% of proper payments.
Litigation may also ensue due to compromised records, Hewitt cautioned, especially if a patient passes away at some point during a ransomware event.
“I suspect that there are some attorneys somewhere that would like to pursue that angle and say, ‘My client did not receive proper care because your computer systems were down and had a medical reaction or a medication issue or a sentinel event that you were unaware of, or you didn’t document correctly,’” Hewitt said.
Health care needs to catch up
Health care has lagged behind in attention to cybersecurity when compared with other industries such as banking and manufacturing, Hewitt said. Long-term and post-acute health care in particular has a reputation for low technology adoption: a recent survey from Black Market Research, for instance, suggested that nearly half of post-acute staffers have minimal knowledge of IT.
Doug Brown, managing partner of Black Book Research, called for an “expansion of technology capabilities” for multiple kinds of providers across the continuum.
Smaller nursing homes may want to look at consolidating or teaming with other similar organizations for their IT needs — or find a mid-sized or a larger IT shop to maintain their records in the cloud. It’s important to only outsource technological needs responsibly, and ensure that the partner has a cyber resilience plan and the ability to operate without technology, Hewitt suggested.
Buying medical equipment, for example, has recently come up as a high-risk event for health organizations, because many medical device manufacturers are subject to Food and Drug Administration rules and not HIPAA requirements — meaning if something happens with a vendor, the results could be very problematic for operators, he added.
Even the equipment itself could place operators at risk. A perfectly functional machine may work fine in the real world, but have outdated software that’s vulnerable to attack.
Hewitt also singled out smaller facilities, as well as government municipalities, as more vulnerable lately.
“Smaller organizations continue to struggle, and health care continues to struggle. But there’s a lot more that they can do,” he said. “It would be nice if the boards of directors and the C-suites and the executives step up a little more and start asking harder questions of their teams, because there’s an awful lot of overconfidence in the industry right now.”