The Cost of Ransomware Attacks Can Reach Far Beyond the Ransom Payment Itself | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

The Cost of Ransomware Attacks Can Reach Far Beyond the Ransom Payment Itself

December 22, 2016
by Ryan Bergsieker and Allison Chapin, Gibson, Dunn & Crutcher
| Reprints

The ransomware epidemic continues to spread. According to the Federal Bureau of Investigation, ransomware victims in the United States reported a total of more than $209 million in losses in the first three months of 2016 alone. The U.S. Department of Justice has reported that an average of 4,000 ransomware attacks occur in the United States each day.

Given the amount of sensitive data maintained by healthcare providers, and the reality that certain providers’ cyber defenses are less robust than those in place in other industries such as financial services, the healthcare industry is an attractive target for cybercriminals. As the proliferation of ransomware continues, an increasing number of healthcare providers have fallen prey to these attacks. In a blog post, Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR), described the possibility of cyberattacks conducted using ransomware and other means as “[o]ne of the biggest current threats to health information privacy.” Indeed, many recent ransomware attacks have targeted major healthcare institutions. For example, in February 2016, ransomware at Hollywood Presbyterian Medical Center in California compromised access to the hospital’s computer systems for several days. Hollywood Presbyterian announced that it paid a ransom to unfreeze its files, but the cost of a ransomware attack can reach far beyond the ransom payment itself.

Paying the Ransom: Just the Beginning?

In the prototypical ransomware attack, a hacker installs malware on a company’s computer systems that prevents users from accessing critical data, often by encrypting that data. As the moniker “ransomware” would suggest, perpetrators then demand payment from the victim company in exchange for unlocking or returning the data.

Hackers can gain access to company computer systems through a variety of means, ranging from “planting” a seemingly misplaced thumb-drive carrying malware in a company parking lot (where it can be discovered by a well-meaning employee and inserted into a company computer), to spear phishing or other social engineering ploys to gain login credentials. Thanks to the availability of digital currency transactions, hackers can enjoy fast, remote, relatively anonymous access to cash paid by their sometimes desperate victims.

The healthcare industry is a particularly attractive target for ransomware attacks given the amount of data providers maintain, the importance of the data, and the gravity of denying access to that information. Blocking critical patient data can have crippling effects on the operations of a healthcare provider. When faced with potentially deadly consequences, some healthcare providers may feel pressure to pay the ransom, but succumbing to a hacker’s ransom demands may mark only the beginning of the company’s problems.

First, paying the ransom does not guarantee that the hackers will unlock the company’s data, and there is no way to ensure that the hackers will not corrupt or otherwise alter the data before returning the information to the victim healthcare provider. Paying a ransom also may embolden the attacker, encouraging further attacks on the institution itself or on other similarly-situated organizations within the industry.

Moreover, paying a ransom does not resolve the issue of any protected health information (PHI) affected by the attack. Ransomware attacks resulting in unauthorized “acquisitions” of PHI barred by the Healthcare Insurance Portability and Accountability Act (HIPAA) may trigger a provider’s notice obligations unless the covered entity can demonstrate a “low probability that the [PHI] has been compromised,” according to federal regulations. Otherwise, victim healthcare providers may need to provide notice to HIPAA’s primary enforcement agency, HHS OCR, and affected patients, among others. Companies then may face exposure to broad and often burdensome investigations, the scope of which may extend far beyond the parameters of the initial breach into a company-wide security program review.

Substantial payments can be required to resolve government investigations initiated by instances of unauthorized acquisitions of PHI. For example, earlier this year, HHS OCR announced that Advocate Health Care Network agreed to adopt a corrective action plan and pay $5.55 million to resolve potential HIPAA violations following breaches that affected the electronic PHI of approximately four million individuals. Similarly, in 2014, New York Presbyterian Hospital agreed to a corrective action plan and a $3.3 million payment to settle potential HIPAA violations.

How to Be Prepared

The time to start thinking about containment and mitigation is before an attack occurs. Responding to a ransomware attack can be daunting, but healthcare providers should consider the following key data management and information governance strategies when assessing the security of their systems:

  • Conduct periodic cyber-risk audits to identify any areas of weakness, ranging from potential external penetration to insider actions.
  • Develop, codify, and train personnel on a comprehensive data breach response plan with clearly assigned responsibilities.
  • Maintain proper computer system hygiene, including implementing regular system and application updates to avoid exposure to malware through outdated, unsupported, or improperly patched software.
  • Implement robust data back-up systems, segregated from other company systems. 
  • Enable mechanisms for quick system restoration from these back-ups when required.
  • Evaluate sources of ransomware risk, educate personnel on common strategies employed by hackers, and implement basic supporting mechanisms (e.g., train personnel to avoid phishing techniques and alert personnel when email has been sent from outside the company).
  • Regularly update policies and procedures to incorporate lessons learned and to stay abreast of current trends.

If an incident does occur, providers should be prepared to activate their data breach response plan.  A key component of such plans is engaging with law enforcement and regulators. Given the sensitive nature of these communications and the potential impacts on future regulatory investigations and litigation, it is often helpful to engage in such communications through experienced outside counsel.

Healthcare providers must take deliberate steps to prevent and mitigate the impact of ransomware attacks. While not exhaustive, the steps enumerated above can help better position companies for successful navigation through these high-pressure and often high-stakes situations. 

Guidance on how to protect against ransomware is available from the U.S. Department of Homeland Security, the U.S. Department of Health & Human Services Office for Civil Rights and the U.S. Federal Trade Commission.

Ryan Bergsieker is of counsel in Gibson, Dunn & Crutcher's Denver office and a faculty member of CGOC, an information governance and compliance think tank. He is a former federal prosecutor and a courtroom advocate. His practice is focused on government investigations, complex civil litigation, and information security/data privacy counseling and litigation. Allison Chapin is an associate in Gibson, Dunn & Crutcher’s Denver office

2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


Phishing Attack at Georgia Health System May Have Exposed 400K Patients’ Data

August 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

Augusta University Health System, based in Augusta, Georgia, has reported that a phishing attack on email accounts that occurred last fall may have led to the unauthorized access of protected health information (PHI) of approximately 417,000 individuals.

In a notice posted on its website, Augusta University officials said the organization was targeted by a series of fraudulent emails on Sept. 10-11, 2017. “These sophisticated phishing emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts,” officials said.

A second phishing attack occurred July 11, 2018, and appears to be smaller in scope, Augusta University President Brooks Keel, Ph.D., wrote in a separate message.

Augusta University officials said that, upon recognizing the nature of the attack, security leaders took action to stop the intrusion, including disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.

On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and PHI of approximately 417,000 individuals.

While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time, Keel wrote in his message.

In some cases, patient information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information.

For a small percentage, information that may have been viewed included a Social Security number and/or driver’s license number, organization officials said.

Keel also wrote that IT staff reacted quickly to contain the July 11, 2018, attack. “The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway,” Keel wrote.

 In response to the incident, the organization has taken or will be promptly initiating several actions to protect against future incidents, Keel stated. Organization leadership created a new position of vice president for audit, compliance, ethics and risk management to bring “fresh leadership and direction to compliance functions.”

The organization also is implementing multifactor authentication for off-campus email and system access, reviewing and adopting solutions to limit email retention, and leadership is taking steps to implement a policy banning PHI in email communications.

In addition, Augusta University officials said the organization is employing software to screen emails for PHI or personally identifiable information (PII) to prevent them from sending, increasing employee training in preventing security breaches, and enhancing compliance-related policies and procedures.

Augusta University will offer free credit monitoring services for one year to individuals whose Social Security number was included in the compromised email accounts.

More From Healthcare Informatics


PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi, Associate Editor
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery


Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.

Related Insights For: Cybersecurity


Who Can Healthcare Trust When Ransomware Hits?

Please register to download

WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

See more on Cybersecurity