Greenway Breach Affects Clients
On April 24, Greenway Health, a vendor providing cloud-based healthcare computer services to 75,000 customers, announced a ransomware attack on their system. It reportedly hit 400 clients using the company's Intergy cloud-hosted platform. 18 days later, Greenway announced they had restored full functionality to all their affected customers.
A billing practice that was affected by the breach contacted ICS Medtech, a compliance and data security company, seeking advice. "His business was down for four days, and his customers who use the same Greenway service were down a week," says Chad Sizemore, managing partner at Birmingham-based ICS Medtech. "So they're not only dealing with breach issues, but their business was also impacted for over a week."
ICS Medtech scanned the billing company's system and found a security problem that pointed to the connecting pathway used by Greenway. "Greenway used a completely unsecured method for him to access their system," Sizemore says.
Greenway used a remote desktop, software that builds a straight, open bridge for data to flow from the client's computer to the server using an IP address. "It's making a connection to their machine in the cloud without having any other security methods in place," Sizemore says. "That is an easy method for a hacker. Even a low-skilled hacker can destroy that protocol."
Too many people assume using software in the cloud automatically equals security. "It's all in how you gain access to the cloud," Sizemore says. "If you don't use proper methods to connect to things, then it doesn't matter where that server resides or how big the company is. You will be vulnerable to a breach."
The secure way to connect is through a virtual private network (VPN). VPN applications create safe tunnels for data to travel on the internet by using encryption and allowing users access only through unique identification methods, such as passwords and tokens.
Having to go through two log-ins to access a cloud-based electronic medical record (EMR) or utilize a remote desktop usually signifies the presence of a VPN. One password gains access to the VPN and the next allows access to the remote desktop or EMR. "The VPN password may be preinstalled, so you just double-click and it automatically connects for you," Sizemore says, so a single password does not necessarily mean the lack of a VPN.
Another indicator will be an icon in the toolbar of the computer whenever the VPN is active. But unlike the arc-bands signifying wi-fi, no universal icon exists for VPN, because each provider creates their own symbol.
"Pull out your contract with the EMR or cloud-based provider and look for the VPN," Sizemore says. If it is unclear or confusing, ask a data security company to check. "Or call the EMR provider and verify that the connection is secure, either by a VPN or a secure web portal. Just make sure that there is something more than a remote desktop connection in play."
Sizemore says they don't want to just point a finger at remote access. "We want to paint a picture," he says. "A Greenway customer used an insecure method and that could have been the cause of the breach. But we don't know. Regardless, Greenway will be breached again if they continue using this method for access."
The billing customer had to restore seven years' worth of data from backups. "Just because you restore from backup doesn't mean that backup is clean," Sizemore says. "If there are infected files in the backup, they will rebirth the ransomware attack. Hopefully Greenway cleaned those."
Greenway, however, has not been forthcoming with details about the breach or their recovery processes. "The billing company's lawyer reached out to Greenway asking if he needs to declare a breach to satisfy HIPAA, and they have yet to get back to him," Sizemore says.
To avoid this kind of haphazard recovery, medical practices should negotiate a service level agreement (SLA) with their IT company, EMR vendor, and any other cloud-based services. "Stipulate how their service is going to be used and how it's going to access your system," Sizemore says.
Also, lay out the process they will use if a failure occurs and how long that takes. "Because if you're going to write a business continuity and disaster recovery policy and procedure plan as required under HIPAA, you can contract that language to the SLA and use it to hold them accountable," Sizemore says, emphasizing the need to stipulate a penalty for failure to comply. "Spell it out: 'I get this amount money off my bill for this amount of time beyond the stated recovery' because during the crisis of a breach, the greater the clarity in processes and expectations, the less business will be lost."