Texas Ransomware Attack Highlights Need For Legacy Data Protection

A ransomware attack on a Texas urology practice that could potentially affect nearly 280,000 patients ranks as one of the largest health data breaches of 2017.

On January 22nd Urology Austin, suffered a ransomware attack that encrypted data stored on its servers. Among the information impacted by the ransomware were names, addresses, birthdates, SSN’s, and medical information.

Their mitigation effort included restoring data from backups and wiping the servers clean. Executing this plan allowed Urology Austin to not pay the ransom.

Although the attack did not have an impact on the practice’s electronic health records, other applications, including legacy data, were potentially affected.

Why was the breach so large?

Because the Urology Austin ransomware incident potentially affected legacy applications, the pool of potential victims was much larger and some of those receiving notifications may not have been active Urology Austin patients for many years.

Protecting Patient Data

Healthcare entities holding on to data many years after caring for individuals who are no longer patients is a common occurrence.

A big issue in healthcare is that many entities do not destroy anything related to patients. That leads to a highly probable, and increasingly vulnerable, situation where there is information in systems and databases for patients that have not received care in quite some time. Using technologies like data loss prevention solutions that search for and find old patient information that can be removed from active or production systems and archived properly is an important protection for healthcare providers.

All PHI, including older legacy data of former patients, must be properly safeguarded. Every provider needs to have a data retention policy and supporting procedures in place, include how to irreversibly destroy/delete data when it is no longer needed to support legal requirements and patient care needs.

If you don’t need data, eliminate the data and lower your risks by having less data to protect.

Lessons

It’s encouraging that Urology Austin didn’t pay the ransom and executed an up-to-date backup plan that allowed them to resume patient care quickly. It’s important to remember that in order to prevent back-up data from being impacted by ransomware and other attacks, back-up data needs to be stored offline.

Many organizations don’t take this critical step, and as a result the backups are attached to their network and the ransomware then encrypts the backups as well.

If you have questions about storing legacy patient data, IT security, response plans, or ransomware preparedness call ITPAC today.