Last week, two Wisconsin companies that provide an online service to dental offices, Digital Dental Record and PerCSoft, told 400 dental office customers of a ransomware attack. The files on the computer networks of the dental offices were scrambled in a ransomware attack.
PerCSoft had remote access to the dental office networks, and to all of their critical files, for the purposes of performing daily backups. An unknown criminal hacked PerCSoft, and used PerCSoft’s remote access connection to deliver ransomware to the dental office computer networks.
As of September 3, in a letter to their customers, Digital Dental Record reports that their subcontractor PerCSoft was successful in decrypting (unscrambling) the files for 80% of the 400 dental offices. Multiple sources have stated that that Digital Dental Record’s subcontractor (who provided the DDS Safe online backup service) paid the ransom.
It is ironic that the dental practices lost their data from ransomware delivered by the very vendor they hired to protect their data.
This incident was particularly damaging because criminal hackers were able to comprise one information technology Managed Services Provider (MSP) and exploit their remote connections to infect 400 dental practices. MSPs use “remote management and monitoring” (RMM) software to automate their services. After gaining access to PerCSoft’s system, the hacker used the PerCSoft’s RMM software to deliver the malicious ransomware to the dental offices.
This is one of multiple cases this year of hackers using Managed Services Provider companies to deliver ransomware to the trusting customers. ZDNet reported in February of 2019 of two attacks through Managed Services companies, and reported in June of 2019 that hackers breached 3 MSPs who used the Webroot RMM software. More recently, on August 16, 2019, 22 local governments in Texas were hit with ransomware. NPR reports, “They got into our software provider, the guys who run our IT systems,” according to Gary Heinrich, mayor of the town of Keene, TX. Heinrich said that the same MSP provided support to many of the affected municipalities.
Small and medium sized organizations can benefit greatly from capable MSPs. At the same time, those who use MSPs need to be aware of the risks of granting any 3rd party remote access to their computer network. Practices that operate EHR, practice management software, PACS, lab, pharmacy, software-enabled medical devices, and other software on-premises are at greater risk than practices which rely on cloud applications.
These ransomware cases prove that even your most trusted computer vendors, including MSPs, must be scrutinized. Eagle Consulting Partners recommends these steps to protect your organization:
1. A thorough HIPAA Security Risk Assessment (also referred to as a Security Risk Analysis) should identify all third parties who have remote access. This typically includes a MSP, vendors supporting various software, consultants, and contractors.
2. The minimum protection required for HIPAA compliance is a valid Business Associate Agreement (BAA).
3. The third parties should be ranked based on risk. A medical coding expert granted access to only 50 patient accounts in the billing software, for coding audits, would be ranked a low risk.
The MSP, with full administrative access to all servers, databases, firewalls, routers, workstations and the phone system would be high risk.
4. Higher risk vendors should be subject to additional evaluation and contracting safeguards:
a. A vendor evaluation should be conducted. Can the vendor show you their HIPAA Policies? Can the vendor show evidence that they have conducted their own HIPAA Security Risk Assessment? Has the vendor earned any 3rd party certifications such as a SOC 2 or HITRUST?
b. The HIPAA BAA should include additional protections, such as an indemnification clause, and the requirement that the vendor carry liability insurance for errors and omissions, and for cyber-liability
It may be beneficial to have a third party with appropriate expertise conduct the evaluation of your MSP. If they score poorly in the evaluation, your best recourse may be to switch to a new vendor.