In light of evolving threats – like the recent WannaCry ransomware outbreak – the data security industry is seeing a shift in approach from traditional signature-based tools to more behavioral analytics. This is a particularly important trend for the healthcare industry to follow given the targeted attacks many systems across the country, and throughout the world, have experienced in recent years.

Security Threats That Make You WannaCry

On Friday, March 12 the world experienced a well-coordinated ransomware attack, known as WannaCry that infected systems on a larger scale than has ever been seen before. Ransomware, and more specifically crypto ransomware, is a virus designed to search for a certain predefined set of file extensions that are typically used with protected data on a network. It encrypts, or locks it, requiring the owner to pay a ransom for a decryption key. This seems to be the preferred tool for attacking healthcare institutions; with lives on the line organizations are forced to pay the ransom quickly to gain access to patient information critical to providing proper care.

More than 150 countries and 200,000 systems were infected by the WannaCry attack across businesses, universities, and yes, health systems. The U.K.’s National Health Service (NHS) was the first identified victim, and was the day’s most severe hack. A total of 48 NHS organizations were hit, rendering patient records unavailable and forcing it to suspend operations.

Outsmarting Tradition

As viruses become “smarter,” – capable of seeking out the most sensitive information on a network to encrypt – our data security efforts must exceed their pace.

Traditional antivirus protection is signature-based. Like a vaccine it uses the signatures of previously identified viruses to detect new incoming threats. The software is updated for each new virus or malware signature detected, but it cannot keep pace with rapidly mutating ransomware strains. Ransomware signatures multiply quickly as hackers put their own spin on existing strains, and by the time your traditional antivirus protection is updated for the most recent one, a new mutation could already be hitting your inbox.

Next Gen Antivirus

The future of data security is in behavioral analytics-based protection. Just as viruses are learning to identify sensitive information, behavioral-based tools are learning how to identify ever-mutating virus signatures. These tools are more like a broad spectrum antibiotic; they look for the behavioral cues of a virus rather than a specific signature. Many even have the ability to sever a connection before any damage can be done. Essentially, rather than searching for the signature of a virus that encrypted something yesterday or last week, it searches for a signature that looks like it might be able to encrypt something.

These tools not only address unpredictable new threats, but also solve the limited resource problem faced by my organizations. Most of the ARM industry, and certainly most of the healthcare industry, does not have the manpower to dedicate a team to keep up with the new threats that are created every day. Using this next gen antivirus protection, organizations have the ability to leverage the security experts who designed and maintain the software for them.

Placing your trust, and your data, in the hands of security experts can help your organization avoid attack, even on the scale of WannaCry. For example, by leveraging the experts at Sophos CryptoGuard, we protected our healthcare clients across the country from an attack that could have suspended operations, and cost thousands of dollars to resolve.

Defense In-Depth

Behavioral analytics protection is one of what should be multiple layers of defense surrounding your patient’s PHI and financial information. More healthcare organizations should be shifting to a defense in-depth strategy, one in which layers and layers of security systems are put in place so that you are able to protect not only against incoming threats, but also against those that may already be in your system. SIEM, or Security Information and Event Management tools, funnel all security information and events into one place, providing alerts and fast response to any potential threats. RMP’s InsightIDR tool monitors our 20 million daily events and can warn our data security team of any suspicious activity, and monitor everyone already within the system to ensure all activity is sanctioned.

Play Offense, Not Defense

Protecting your system from known risks is a good way to get hacked. What we thought was ransomware yesterday is different today; we understand that more than ever after the WannaCry attack. Big organizations and healthcare systems are particularly vulnerable because of outdated technology. Protect your patients by playing offense and going above and beyond traditional protections, because you never know what new cyber-threats tomorrow brings.

Take this article with you! Click here for a printable version.

Written by Greg Haar, Data Security Officer, Chris Shelly, Cyber Security Specialist, and Ali Bechtel, Digital Marketing Manager for RMP

This information is not intended to be legal advice and may not be used as legal advice.  Legal advice must be tailored to the specific circumstances of each case.  Every effort has been made to assure this information is up-to-date as of the date of publication. It is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel. 

After more than a year of planning and months of crafting, the initial draft of the long-awaited American Health Care Act was released on March 6^th. The bill was meant to deliver on President Trump’s campaign promise to make replacing the Affordable Care Act, unofficially known as Obamacare, a top priority.

House Republicans announced their intention to start work on a replacement plan last January. A month later a Task Force on Health Care Reform was created with the mission “to modernize American health care with patient-centered solutions that improve access, choice, and quality, lower costs, promote innovation, and strengthen the safety net for the most vulnerable.” On January 13, 2017, one week before President Trump’s inauguration, the House passed an Obamacare Repeal Resolution, giving Congress the legislative tools needed to repeal and replace the Affordable Care Act.

A draft of the plan was released in mid-February, but underwent several changes before its official introduction on March 6^th.  The legislation then passed through a four-committee process of review with various House committees before being presented to the full House for final vote. But on Friday, March 24, the bill was pulled from consideration in the face of concerns among many conservatives and a complete lack of support from the Democratic Party.

What Happened?

Throughout the course of its review, the American Health Care Act was exposed to extreme criticism from both Democrats and conservative Republicans.

House Speaker Paul Ryan (R-Wisconsin) was the preeminent spokesperson for the legislation, saying, “The American Health Care Act is a plan to drive down costs, encourage competition, and give every American access to quality, affordable health insurance.”

But many did not agree. House Democratic Leader Nancy Pelosi said, “What they are doing is very destructive…It represents the biggest shift of money to the wealthiest people in our country, the top 1 percent, at the cost of working families.” Several hospital associations spoke out against the act as well. The American Medical Association urged senior lawmakers to reconsider drastic changes to the Medicaid expansion reform, and many others – including the American Hospital Association, America’s Essential Hospitals, and Catholic Health Association of the United States – expressed concerns about instabilities for people seeking affordable medical coverage.

Ultimately, it was conservatives within the Republican Party who pulled the plug. Many were concerned that the bill was too costly and did not do enough to roll back federal health insurance mandates.

What Were the Proposed Changes?

While the goal of many conservative Republicans has been to “repeal and replace” the Affordable Care Act altogether, under the American Health Care Act many of the previous law’s more popular components – including assuring that those patients with pre-existing conditions could keep their coverage and that people under the age of 26 could remain on their parents’ insurance plans – would have remained intact. Top officials also worked to assure the public that the act would offer a stable transition for those enrolled in insurance on state-run Obamacare exchanges.

An overview of the act’s major changes included the following:

Coverage Requirements The proposed plan would have eliminated the individual and employer mandate requiring all Americans to have coverage or face fines and penalties. This requirement was a key component of the Affordable Care Act and is credited with greatly expanding the number of people with insurance.

Tax Credits vs. Subsidies Under the Affordable Care Act many people were given subsidies to buy health insurance based on income. The American Health Care Act would instead have provided tax credits that could be obtained in advance for people to buy insurance based on age. The credits would start at $2,000 per year for individuals under age 30, and would rise to $4,000 per year at age 60. These credits would start to be reduced for people making more than $75,000 per year individually or $150,000 jointly, to ensure high-income patients’ insurance wasn’t being federally subsidized.

Health Savings Accounts The act expanded the incentive to participate in health savings accounts by doubling the allowed contribution each year to more than $6,000 per person or $13,000 per family.

Medicaid When the Affordable Care Act was passed it required states to provide Medicaid coverage for all adults ages 18 to 65 with incomes up to 138% of the federal poverty level, regardless of their age, family status, or health. Under the new plan this Medicaid expansion would be frozen as of 2020 and new people would be barred from enrolling under the income-based system. Instead, states would be allotted a set amount of federal funds for the program each year, and would implement eligibility based on population, essentially capping the number of people who could enroll.

Taxes Several taxes contained in the Affordable Care Act would also be released by the end of 2017, including taxes on health insurers, pharmaceutical and medical device manufacturers, and delays taxes on high-cost, employer-sponsored group health plans (aka Cadillac Plans) until 2025.

What’s Next?

“We’re going to be living with Obamacare for the foreseeable future,” Ryan conceded following the March 24 decision. Leading up to the final vote to pull the legislation from the House, President Trump issued an ultimatum to those in his party who opposed the bill. During negotiations he declared that he would agree to no additional changes, and Republicans must either support the bill or resign themselves to leaving the existing Affordable Care Act in place.

Following the decision to pull the legislation for vote, President Trump explained that the vote was going to be very close, but failed due to lack of Democrat support. On the future of health care legislation he said this: “I think what will happen is that Obamacare will explode, it’s going to have a very bad year,” and he believes it will “cease to exist” in the near future. He has abandoned his ultimatum and instead had this to say, “I’ll tell you what’s going to come out of it is a better bill.”

Take this article with you! Click here for a printable version.

Written by Ali Bechtel, Digital Marketing Manager

This information is not intended to be legal advice and may not be used as legal advice.  Legal advice must be tailored to the specific circumstances of each case.  Every effort has been made to assure this information is up-to-date as of the date of publication. It is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.