On October 28, 2020, officials from the FBI and the U.S. Department of Homeland Security assembled a conference call with healthcare industry executives warning them about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” and the government noted that they need to warn healthcare providers “to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
The federal warning comes in the wake of reports published by Brian Krebs indicating that a Russian-speaking ransomware group known as Ryuk has discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.
Healthcare entities need to be prepared for this urgent threat. There are a few things they can do in immediate preparation for an attack, during an attack, and in the aftermath of an attack to minimize the risk or impact. Healthcare entities need to be able to prevent, detect, and effectively respond to threats involving ransomware. This includes navigating the legal minefield associated with ransomware payments, cyber insurance, regulatory requirements, healthcare licensing and regulation, third party liability, data breach reporting, and data forensics and investigation. Healthcare entities are particularly vulnerable to ransomware (and targeted because of this) because of the time sensitive and critical nature of the data and services they provide. If patient data is compromised, or access to healthcare or services impeded, providers simply cannot wait to engage in extensive forensics and data recovery. Particularly during a global pandemic, they need assurance that their data and services remain reliable, accessible, and secure. Hackers know this, and the fact that this increases the likelihood that targeted healthcare entities will pay large ransoms – and pay them quickly. As a result, they target healthcare entities for ransomware.
1. Prevent the Attack
Obviously. But easier said than done. If a healthcare entities does not already have a robust infosec training and awareness, anti phishing and anti malware and monitoring program, it needs to, at a minimum heighten its log and intrusion detection monitoring, partner with third party endpoint and other monitoring entities, and inform its IT staff and employees to “Be On the Lookout” for unusual activity and phishing attacks in the upcoming days or weeks It’s no substitute for a comprehensive NIST compliant program, but it’s a start.
2. Offset the Risk
In light of the imminent nature of the current threat, the first thing healthcare providers can and should do is to review their current cyber insurance policies to ensure that they cover first and third party liabilities for ransomware, include KRE (Kidnap, Ransom and Extortion) coverage, include coverage for ransomware payments, investigation, forensics and coordination with law enforcement, include legal and litigation costs, and include costs of business interruption and mitigation. Many policies are a “swiss cheese” of coverages, exclusions and deductions, and the time to review the policies is before a claim occurs.
Healthcare entities should review their state of readiness and compliance not only with relevant privacy laws (e.g., HIPAA), but with data security and incident response requirements (e.g., NIST Cybersecurity). While compliance with these regulations or guidelines are no guarantee that you won’t be successfully attacked, demonstrating good faith compliance goes a long way toward limiting your legal exposure and will help mitigate harm.
This should include a review of internal and external policies, contracts, data sharing agreements, cloud agreements, training and awareness programs for healthcare staff generally or IT staff in particular on how to handle both data breaches and ransomware attacks. This can include guidelines on risk mitigation, forensic evidence handling, incident response notification, and regulatory compliance during an incident. Healthcare entities need to develop and deploy “tabletop” training programs for senior executives (including internal counsel) to enhance readiness for such incidents.
There are alternatives to fighting. Healthcare companies should consider alternatives to restoration or payment. While most entities believe that their sole responses to ransomware are to either (1) prevent it from coming in; (2) restore data after the attack; or (3) pay the ransom as demanded, UNIT 221B through its relationships can provide other – more palatable – alternatives. These include what is called “ransomware inoculation” – using sophisticated programs designed to “trick” the ransomware programs themselves that they have infected a “friendly” computer (a computer of the attacker themselves) and therefore not to execute. Alternatively, some ransomware variants have highly technical vulnerabilities in the ransomware itself which allow the ransomware to be “hacked” and diffused without paying the ransom. In addition, In some cases access to ransomware “keys” which can be tested and sometimes are effective in unlocking certain kinds of ransomware without paying the demands.
If you determine that it is in the interests of the healthcare entity to pay the ransom, recent decisions by the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) and its Financial Crimes Enforcement Network (FinCEN) substantially increase the potential fines and penalties not to hackers but to victims of ransomware attacks who choose to pay ransom. These include both civil and criminal penalties for violating U.S. and international export sanctions, money laundering, fund transfer crimes, and other bank regulatory offenses – even for healthcare entities responding to a sudden emergency. Work with experienced professionals that can help reduce or avoid the liability to healthcare companies in connection with their incident response to cyber attacks and ransomware.
Retain the services a highly technical and sophisticated cyber investigators and forensics companies, helping ensure that the internal investigation is, at least initially protected by applicable privileges, and ensuring that the healthcare entity has the maximum flexibility to investigate and respond to the attack, and to coordinate its response as appropriate with local, state, federal and international cybercrime investigators and law enforcement entities.
Work with counsel that are experienced in data breach notification advice and services. Globally, there are hundreds of different data breach notification statutes and regulations, each with different requirements for whom to notify, how to notify, when to notify, whether to notify, and what to say. Needless to say, this represents a potential landmine for healthcare companies that may – or may not – suffer a reportable data breach. Make sure counsel will help determine whether data breach notifications are required, and the best way to handle them consistent with the law and regulation. Remember, it is just as bad to report a breach that did not occur than to fail to report one that did.
Comply with healthcare regulation. Various laws and regulations impose duties on healthcare entities not only with respect to data security and integrity, but on the quality of healthcare services provided. A ransomware attack can impact these regulations. Ensure that the response to ransomware does not adversely impact patient care and treatment, and ensure continued compliance with these laws and regulations.
Prepare for post-incident litigation. If a healthcare entity is affected by a data breach, a cyber incident, or a ransomware attack, in addition to regulatory investigations (HHS, FTC), healthcare entities are also frequently the victims of class action litigation by patients, employees, or third parties impacted by the cyber incident. Healthcare entities must work with experienced counsel to be prepared for such litigation, and help defend such litigation with fact, investigation, and legal and technical expertise.
As a lawyer and a former paramedic (yes, I could chase my own ambulances) I know the first rule of emergency situations is to take your own pulse. So, if you are in the healthcare arena particularly, you need to plan now for a potential ransomware attack in the near future. And while you are at it, mind as well download your resume and put it in a safe place. Just in case.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.