The ransomware epidemic continues to spread. According to the Federal Bureau of Investigation, ransomware victims in the United States reported a total of more than $209 million in losses in the first three months of 2016 alone. The U.S. Department of Justice has reported that an average of 4,000 ransomware attacks occur in the United States each day.
Given the amount of sensitive data maintained by healthcare providers, and the reality that certain providers’ cyber defenses are less robust than those in place in other industries such as financial services, the healthcare industry is an attractive target for cybercriminals. As the proliferation of ransomware continues, an increasing number of healthcare providers have fallen prey to these attacks. In a blog post, Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR), described the possibility of cyberattacks conducted using ransomware and other means as “[o]ne of the biggest current threats to health information privacy.” Indeed, many recent ransomware attacks have targeted major healthcare institutions. For example, in February 2016, ransomware at Hollywood Presbyterian Medical Center in California compromised access to the hospital’s computer systems for several days. Hollywood Presbyterian announced that it paid a ransom to unfreeze its files, but the cost of a ransomware attack can reach far beyond the ransom payment itself.
Paying the Ransom: Just the Beginning?
In the prototypical ransomware attack, a hacker installs malware on a company’s computer systems that prevents users from accessing critical data, often by encrypting that data. As the moniker “ransomware” would suggest, perpetrators then demand payment from the victim company in exchange for unlocking or returning the data.
Hackers can gain access to company computer systems through a variety of means, ranging from “planting” a seemingly misplaced thumb-drive carrying malware in a company parking lot (where it can be discovered by a well-meaning employee and inserted into a company computer), to spear phishing or other social engineering ploys to gain login credentials. Thanks to the availability of digital currency transactions, hackers can enjoy fast, remote, relatively anonymous access to cash paid by their sometimes desperate victims.
The healthcare industry is a particularly attractive target for ransomware attacks given the amount of data providers maintain, the importance of the data, and the gravity of denying access to that information. Blocking critical patient data can have crippling effects on the operations of a healthcare provider. When faced with potentially deadly consequences, some healthcare providers may feel pressure to pay the ransom, but succumbing to a hacker’s ransom demands may mark only the beginning of the company’s problems.
First, paying the ransom does not guarantee that the hackers will unlock the company’s data, and there is no way to ensure that the hackers will not corrupt or otherwise alter the data before returning the information to the victim healthcare provider. Paying a ransom also may embolden the attacker, encouraging further attacks on the institution itself or on other similarly-situated organizations within the industry.
Moreover, paying a ransom does not resolve the issue of any protected health information (PHI) affected by the attack. Ransomware attacks resulting in unauthorized “acquisitions” of PHI barred by the Healthcare Insurance Portability and Accountability Act (HIPAA) may trigger a provider’s notice obligations unless the covered entity can demonstrate a “low probability that the [PHI] has been compromised,” according to federal regulations. Otherwise, victim healthcare providers may need to provide notice to HIPAA’s primary enforcement agency, HHS OCR, and affected patients, among others. Companies then may face exposure to broad and often burdensome investigations, the scope of which may extend far beyond the parameters of the initial breach into a company-wide security program review.
Substantial payments can be required to resolve government investigations initiated by instances of unauthorized acquisitions of PHI. For example, earlier this year, HHS OCR announced that Advocate Health Care Network agreed to adopt a corrective action plan and pay $5.55 million to resolve potential HIPAA violations following breaches that affected the electronic PHI of approximately four million individuals. Similarly, in 2014, New York Presbyterian Hospital agreed to a corrective action plan and a $3.3 million payment to settle potential HIPAA violations.
How to Be Prepared
The time to start thinking about containment and mitigation is before an attack occurs. Responding to a ransomware attack can be daunting, but healthcare providers should consider the following key data management and information governance strategies when assessing the security of their systems:
- Conduct periodic cyber-risk audits to identify any areas of weakness, ranging from potential external penetration to insider actions.
- Develop, codify, and train personnel on a comprehensive data breach response plan with clearly assigned responsibilities.
- Maintain proper computer system hygiene, including implementing regular system and application updates to avoid exposure to malware through outdated, unsupported, or improperly patched software.
- Implement robust data back-up systems, segregated from other company systems.
- Enable mechanisms for quick system restoration from these back-ups when required.
- Evaluate sources of ransomware risk, educate personnel on common strategies employed by hackers, and implement basic supporting mechanisms (e.g., train personnel to avoid phishing techniques and alert personnel when email has been sent from outside the company).
- Regularly update policies and procedures to incorporate lessons learned and to stay abreast of current trends.
If an incident does occur, providers should be prepared to activate their data breach response plan. A key component of such plans is engaging with law enforcement and regulators. Given the sensitive nature of these communications and the potential impacts on future regulatory investigations and litigation, it is often helpful to engage in such communications through experienced outside counsel.
Healthcare providers must take deliberate steps to prevent and mitigate the impact of ransomware attacks. While not exhaustive, the steps enumerated above can help better position companies for successful navigation through these high-pressure and often high-stakes situations.
Guidance on how to protect against ransomware is available from the U.S. Department of Homeland Security, the U.S. Department of Health & Human Services Office for Civil Rights and the U.S. Federal Trade Commission.
Ryan Bergsieker is of counsel in Gibson, Dunn & Crutcher's Denver office and a faculty member of CGOC, an information governance and compliance think tank. He is a former federal prosecutor and a courtroom advocate. His practice is focused on government investigations, complex civil litigation, and information security/data privacy counseling and litigation. Allison Chapin is an associate in Gibson, Dunn & Crutcher’s Denver office