Healthcare companies continue to face increased risks of ransomware attacks on their operations. According to the recently released BD Cybersecurity Annual Report for 2021, such attacks are also increasingly sophisticated. Management can take important steps to minimize the risks of this form of cybercrime.
Ransomware
Ransomware is malware that encrypts files on a device, rendering the files and systems that rely on them unusable. Bad actors seek to extort payment for the decryption information. As tactics evolve, threat actors are increasingly encrypting or deleting backup data; stealing data and threatening to publish, contacting employees, patients, or customers using stolen contact information; or posting a company’s name or data on a website to increase their leverage.
A ransomware attack can result in unauthorized access or acquisition of sensitive data; the loss, corruption, or unavailability of data; disruption to internal operations such as billing and invoicing; or the inability to provide essential services. These malicious attacks can cause significant business disruption, cost valuable time and money, divert labor, and result in reputational harm or loss of trust. They also can directly affect patient care and place lives at risk.
How Companies Can Manage the Risks
Healthcare organizations can minimize cyber-risks by having robust organizational and technical safeguards, as well as an incident response plan (IRP). While an IRP is tailored to the specific entity, at minimum, it will define a security incident; identify the stakeholders who will guide the response; determine the types of data and critical systems at risk; identify potential reporting obligations based on contracts, laws, and regulations; consider issues related to confidentiality and privilege; and account for the scope of any cyber insurance, including whether the carrier will appoint outside counsel and an expert forensic investigation firm.
The IRP also includes the fundamental steps for responding to a ransomware attack: containment, preservation, investigation, restoration, and remediation. Immediate containment stops the attack. An expert cybersecurity forensic investigation and the preservation of evidence attempt to identify and document the nature and scope of the incident. This information may help determine the contractual and legal reporting obligations that may apply, assist with responding to regulatory inquiries, or help defend against litigation. The restoration process restores data and critical system functionality, and remediation efforts attempt to minimize the potential risk and harm from the attack.
Negotiation of a Ransomware Demand
While the organization manages its response to a ransomware attack, it also may be negotiating the ransom demand. The U.S. Department of Treasury and FBI strongly discourage paying ransom demands. However, payment is not illegal unless the ransom group is on the Department of Treasury’s Office of Foreign Assets Controls sanctions list (also known as the OFAC list). A prohibited payment can result in fines, regardless of whether the organization knew the group was on the list. The Department of Treasury has identified steps to help mitigate the risk attached to a ransom payment. These include, at a minimum, having meaningful technical security measures in place, maintaining offline backups of data, implementing cybersecurity training to minimize the success of the attack, and voluntarily cooperating with federal authorities to investigate the attack.
Breach Reporting
According to the Fact Sheet: Ransomware and HIPAA from the Department of Health and Human Service Office for Civil Rights, when protected health information (PHI) is encrypted during a ransomware attack, unauthorized individuals are deemed to have taken possession or control of the information. As a result, a breach is presumed to have occurred, unless the covered entity or business associate can demonstrate a low probability the PHI has been compromised.
Whether the presence of ransomware constitutes a reportable breach under HIPAA is a fact-specific determination. This determination can be facilitated by engaging an expert, third-party cybersecurity forensic investigation firm to review the nature and scope of the attack and whether sensitive data was accessed or stolen.
In addition to breach notification obligations under HIPAA, the healthcare entity may have reporting obligations under state law.
Increased Ransomware Litigation
Moreover, healthcare entities are seeing an increase in litigation alleging negligence, failure to safeguard patient data, breach of contract, and unavailability of systems, equipment, or PHI that resulted in the inability to provide essential medical services.
***
Healthcare organizations can take steps to potentially minimize the risk and harm from a ransomware attack through preventive and responsive measures. These may include drafting or updating the organization’s IRP, engaging in cybersecurity risk-based vendor management, regularly training employees on data protection and security awareness, conducting regular risk assessments, and regularly reviewing and updating internal HIPAA Privacy and Security Rules policies and procedures.