A joint cybersecurity advisory alert issued October 28, 2020, warns of an imminent cybercrime threat to the U.S. health care sector. The alert, coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), and the U.S. Department of Health and Human Services (HHS), details “credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers” from increasing and sophisticated ransomware cyber-attacks.
Ransomware is a form of malware that encrypts files on a computer or an entire network server making the data and the computer system unusable. More sophisticated cybercriminals combine ransomware deployment with data exfiltration. In either scenario, the malware is usually undetected until the data is stolen or encrypted and the victim receives a notification posted on a computer screen advising them of the malware and demanding a ransom. Ransom demands usually require the victim to make a payment using cryptocurrency, like Bitcoin, in exchange for a decryption key to unlock the data. The decryption key cost can vary widely from a few hundred dollars to millions.
Ransomware’s threat to critical health care infrastructure is not new. As highlighted in a letter from then HHS Secretary Sylvia Burwell to CEOs of health care companies in 2016, ransomware has unique disruptive and debilitating characteristics for the health care sector given its potential to disrupt delivery of health care services and other daily operations by making health information and systems unavailable, in addition to exposing sensitive health information to unauthorized access or theft.
Key findings in this recent cyber alert echo those concerns, indicating the possibility of data theft as well as the disruption of health services, and noting that “these issues will be particularly challenging for organizations with the COVID-19 pandemic.” The cyber alert, available at https://us-cert.cisa.gov/ncas/alerts/aa20-302a, includes information on the tactics, techniques, and procedures cybercriminals are using to infect systems and is intended to warn health care providers so they can take precautions to protect against the threat. The alert includes information about the type of ransomware being used, indicators of compromise, recommended mitigation measures, and network and ransomware best practices. The alert also includes a ransomware response checklist. The FBI has additional resources on ransomware prevention and response for CEOs and CISOs available at www.FBI.gov.
While defending against and recovering from a ransomware attack will be paramount, health care organizations who experience ransomware infections also have to consider legal reporting obligations that flow from these attacks in light of the potential impact on the confidentiality, availability, and integrity of protected health information regulated by HIPAA. The Office for Civil Rights (OCR) previously issued guidance on ransomware and HIPAA in 2016, including an eight-page fact sheet with information on detecting, preventing, and recovering from malware infections, including ransomware. The OCR guidance also addresses considerations for reporting a breach of protected health information following an incident involving ransomware or other malicious software. HIPAA’s breach reporting requirement itself is time sensitive and requires an investigation into the cyber-attack, infected data systems, and the type of information involved. Proper reporting also requires an understanding of where the individuals whose information may have been impacted reside, as every state now has its own data breach reporting law that must be considered to determine if additional state reporting requirements apply. In some cases, these state law reporting requirements may require notification to credit bureaus, state consumer protection agencies, and/or a state’s Attorney General.
Our attorneys have experience assisting organizations with ransomware events and other data breach response and we advise on compliance with state and federal breach reporting obligations. We also defend regulatory investigations and litigation that can arise from these incidents. Please contact us if you need guidance to improve your information security practices, policies, and procedures or if you have experienced a cyber-incident and need immediate help.