If Ron Howard were to remake his 1996 film Ransom today, instead of Mel Gibson passionately screaming, “Give me back my son!” in response to the kidnapper’s demands, he very well could have Gibson scream, “Give me back my files!” in response to a cybercriminal’s demands for ransomware. What is “ransomware”? Assume you are reading email on your personal computer, tablet, or smartphone and you click on an attachment from an unfamiliar source. Within seconds, your device is encrypted and you are locked out of your applications and files. You may have unwittingly fallen victim to a cybercriminal’s trap. Unless you provide payment in a certain amount of time for the decryption key to unlock the device, your personal information will be gone forever.
This form of cyber-attack—known colloquially as a “ransomware” attack, in which a cybercriminal unleashes malware on a company’s computing infrastructure and blackmails the company for access to its own systems—is on the rise. There are a number of different versions of this attack, but common forms include Cryptolocker and Cyrptowall. A recent report by Intel Corp.’s McAfee Labs predicts that ransomware attacks in 2016 will only continue to grow in number and sophistication.[1]
Ransomware’s Impact on the Health Care Industry
Health care organizations, in particular, are susceptible to ransomware attacks because their employees are public facing and it may be part of their jobs to open emails from unknown sources. Further, because the health care industry lags behind other regulated industries in terms cybersecurity, employees may not be trained to spot fraudulent messages, and their networks may not be configured to stop the infection before it reaches the company’s file system.
For health care organizations, the stakes are extremely high. A hospital subject to a ransomware attack could lose access to certain computer systems, preventing it from exchanging electronic communications regarding the care of its patients. Ultimately, the hospital might have no choice but to pay tens of thousands of dollars in ransom to obtain the decryption key and regain access to its systems and administrative functions. Losing access to its electronic medical record system for even one day, let alone multiple days, could also harm a hospital’s reputation.
Equally troubling is the prospect that a health care organization subject to a ransomware attack learns that its patient protected health information (“PHI”) and/or employee personally identifiable information (“PII”) was accessed by the hackers. Failure to take adequate steps to protect this information can lead to legal liability. Health care organizations that handle PHI are required by the Health Insurance Portability and Accountability Act (“HIPAA”) to adopt administrative, technical, and physical safeguards to protect the confidentiality of PHI. In addition, various state and federal laws establish affirmative duties of employers to protect non-HIPAA-covered sensitive information in a secure manner. Finally, as illustrated by the cyber-attack on Sony Pictures Entertainment,[2] employers may be susceptible to negligence and state law statutory claims by employees whose PII may be stolen or accessed as part of these attacks.
In the wake of these high-profile ransomware attacks, health care organizations should take a series of steps to protect their patients, customers, employees, and corporate information. As an initial matter, companies should conduct a risk assessment and penetration test to determine their network’s vulnerabilities and ensure proper network segmentation is in place to isolate an infection if it occurs. Such review allows businesses to identify and address their most pressing needs before these vulnerabilities can be exploited by cybercriminals and to contain the infection when it does occur.
What Should Your Business Do in the Face of Ransomware?
Because ransomware attacks leave companies unable to access their systems, businesses should implement comprehensive and routine procedures to back up important, confidential, and sensitive information. That way, even if ransomware leaves the systems themselves inoperative for a period of time, such an attack will not completely cripple a company’s ability to continue doing business and serving its patients and/or customers.
Simple administrative and physical safeguards also can aid companies in preventing and limiting the impact of ransomware attacks. Employees should be granted access to workstations, electronic media, and the network only to the extent necessary to perform their jobs or as otherwise permitted by law. Further, because ransomware is generally initiated by an end user, companies should conduct phishing training so that employees are in a better position to spot fraudulent messages that could contain malware.
In the event of a ransomware or other cyber-attack, companies should contact law enforcement and appropriate experts in the field to formulate an immediate, but reasoned, response to the attack. A number of states have enacted legislation subjecting victims of cyber-attacks to various disclosure requirements, and any victims should be familiar with their duties under applicable law.
[1] McAfee Labs, 2016 Threat Predictions, available at http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.
[2] Corona v. Sony Pictures Entertainment Inc., C.D. Cal., No. 2:14-cv-9600.