It has been a month since Valley View Hospital in Glenwood Springs revealed it had been the target of hackers. Data from some 54-hundred patient records were breached. How the computer system came to be the target of hackers remains unclear.
Hospital officials have said little beyond their prepared news releases. The Department of Health and Human Services will not officially comment. Current and former employees and contractors for the hospital have likewise told us little. Still, from information that has been released, the breach at VVH appears to be much like one four years ago at the Health Sciences Center at the University of New Mexico. APR's Roger Adams reports.
“Once it was designated that it had occurred then we began the process of formal notification, tracking down exactly what happened within the system and putting in additional safeguards.”
Bill Sparks is chief spokesman for the U of NM Health Sciences Center.
“And then how you conduct that investigation, the measures you take to at least prevent that under current technological limitations is all documented and registered with the Office of Civil Rights in Washington, DC.”
A 1996 federal law overseen by Health and Human Services protects all medical data. The Office of Civil Rights, OCR, is the investigative arm of HHS. In the New Mexico case nearly two thousand patient records were breached by malware that was placed on two workstation hard drives. In Glenwood Springs the malware was able to access multiple workstations because Valley View Hospital uses a centralized workstation system. In New Mexico, data compromised included patient names, medical records numbers, and health insurance information.
“We have a crisis management team so we met the day that it occurred and within 72 hours we had corresponded with all the impacted people in a formal kind of way and put into motion the kind of steps that I just mentioned.”
Which included, says Sparks, updated security on its computer system. Malware attacks on hospitals are increasing and occur almost weekly. A printout of medical data breaches from HHS runs into the hundreds of breaches in just the past five years. In 96 percent of cases the data were breached electronically. Under law, HHS can issue fines for breaches of data affecting five hundred or more individuals. In New Mexico, university spokesman Billy Sparks says the facility took all the required measures before and after the breach. The hospital was in effect a victim. No fines were imposed.
“In our case, no. Again, because who would you fine? I mean it would be like saying someone broke into your house and you want to fine the homeowner.”
The victim analogy, however, doesn’t always work when hospitals are hacked and patient data are compromised.
"OCR will likely be looking at why it took Valley View Hospital five months to discover the malware"
“Its an apples to oranges comparison and that’s not quite the same situation as th homeowner just at random being fined for being a victim of having their home broken into.”
Abner Weintraub is a consultant to medical providers on HIPAA, the 1996 law covering confidentiality of medical records. He is the principal and owner of Expert HIPAA Partners and former president of the HIPAA Group. While it would appear on the surface that hospitals that get hacked are victims of the hackers, Weintraub says there is an important distinction.
“If the homeowner was somehow responsible for protecting medical records, gold bars or other valuables in their home and had accepted their responsibility under the law and were regulated accordingly and then the problem occurred and their home was broken into . In that case it would be appropriate to fine the homeowner for their home being broken into.”
In fact, the scale of fines goes as high as one and a half million dollars. And, critically, as Valley View Hospital faces an OCR investigation, fines can be levied on a culpability scale that runs from “willful neglect” all the way to “did not know.” Among the issues under investigation will be the security of Valley View’s IT system. The hospital’s IT department was experiencing staff turnover late last summer.
Officials have not revealed details about what kind of anti-malware software it had on the system by last September when the virus appeared or indeed if there was any anti-virus software installed at the time.
“Well it’s a great question and it is certainly one of the things among many that the OCR in investigating this case will look at. Certainly the OCR will dig deeply into that.”
A technology writer with Techworld.com who is watching the Valley View Hospital case speculates that the malware used by the hackers was like one called Carberb. It is what’s known as a Trojan horse malware that first appeared in 2012.
“These types of malware are what is know as advanced persistent threats.”
Persistent because they sit on a computer system collecting data and then encrypting it in a folder after the hackers have downloaded it. There are many known variants of Carberb now in use by hackers. And, another issue the OCR will likely be looking at is why it took Valley View Hospital five months to discover the malware. This is an eternity in the IT world.
JD Sherry is Vice President of technology for the anti-virus software company Trend Micro a leading company that provides IT security to corporations and medical providers.
“Yeah, you would think that what I would call up to date anti-virus certainly would be all over these known variants out there but, often we see organizations and individuals in some cases up to thirty three percent that aren’t protected by the basic anti-virus packages.”
And in that third of hacking cases says Sherry, the average length of time it took to discover malware was 210 days. In the University of New Mexico hacking case the Office of Civil rights never came on premises to investigate. The hospital took corrective actions and the case was closed. Medical records security consultant Abner Weintraub says at the end of an OCR investigation in addition to any fines if they are imposed, there is normally a Corrective Action Plan developed for the medical facility.
“And it’s a legally enforceable contract essentially that’s enforceable under contract law in court where the entity promises to do certain things. What’s interesting about this is that all of the issues in the corrective action plans and resolution agreements are things that the entity was required to do under HIPAA to begin with.”
Valley View Hospital, like its counterpart in New Mexico, says it has contacted all of the affected patients and offered identity theft insurance for their protection. Valley View says it also has removed the virus and shored up its IT security. OCR will not confirm nor deny that an investigation is underway.