By Mark Rasch
On Oct. 28, 2020, officials from the FBI and the U.S. Department of Homeland Security assembled a conference call with healthcare industry executives warning them about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” and the government noted that they need to warn healthcare providers “to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
The federal warning comes in the wake of reports published by Brian Krebs indicating that a Russian-speaking ransomware group known as Ryuk has discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.
KJK’s Cybersecurity, Data Breach & Privacy practice group, together with the technology, forensics and investigative companies with which we work, can help healthcare entities prevent, detect and effectively respond to threats involving ransomware. This includes navigating the legal minefield associated with ransomware payments, cyber insurance, regulatory requirements, healthcare licensing and regulation, third party liability, data breach reporting and data forensics and investigation. Healthcare entities are particularly vulnerable to ransomware (and targeted because of this) because of the time sensitive and critical nature of the data and services they provide. If patient data is compromised, or access to healthcare or services impeded, providers simply cannot wait to engage in extensive forensics and data recovery. Particularly during a global pandemic, they need assurance that their data and services remain reliable, accessible and secure. Hackers know this, and the fact that this increases the likelihood that targeted healthcare entities will pay large ransoms – and pay them quickly. As a result, they target healthcare entities for ransomware.
How KJK Can Help
Insurance Coverage Review: In light of the imminent nature of the current threat, the first thing healthcare providers can and should do is review their current cyber insurance policies to ensure that they cover first and third party liabilities for ransomware, include KRE (Kidnap, Ransom and Extortion) coverage, include coverage for ransomware payments, investigation, forensics and coordination with law enforcement, include legal and litigation costs, and include costs of business interruption and mitigation. Many policies are a “swiss cheese” of coverages, exclusions and deductions, and the time to review the policies is before a claim occurs.
Ransomware Readiness, Policy and Contract Review: KJK can also review a healthcare entity’s state of readiness and compliance not only with relevant privacy laws (e.g., HIPAA), but with data security and incident response requirements (e.g., NIST Cybersecurity). While compliance with these regulations or guidelines are no guarantee that you won’t be successfully attacked, demonstrating good faith compliance goes a long way toward limiting your legal exposure and will help mitigate harm. KJK can also help review internal and external policies, contracts, data sharing agreements and cloud agreements, and can help train your staff generally or your IT staff in particular on how to handle both data breaches and ransomware attacks. This can include guidelines on risk mitigation, forensic evidence handling, incident response notification and regulatory compliance during an incident. We can also help develop and deploy “tabletop” training programs for senior executives (including internal counsel) to enhance readiness for such incidents.
Incident Investigation and Intelligence: KJK has also developed relationships with computer forensics, investigative, threat intelligence, ransomware mitigation and highly sophisticated computer security researchers that may be able to help respond to or mitigate the risk of ransomware attacks. While most entities believe that their sole responses to ransomware are to either (1) prevent it from coming in; (2) restore data after the attack; or (3) pay the ransom as demanded, KJK through its relationships can provide other – more palatable – alternatives. These include what is called “ransomware inoculation” – using sophisticated programs designed to “trick” the ransomware programs themselves that they have infected a “friendly” computer (a computer of the attacker themselves) and therefore not to execute. Alternatively, some ransomware variants have highly technical vulnerabilities in the ransomware itself which allow the ransomware to be “hacked” and diffused without paying the ransom. In addition, KJK through its partners, has access to a broad variety of known ransomware “keys” which can be tested and sometime are effective in unlocking certain kinds of ransomware without paying the demands.
Ransomware Payment and Negotiation: If we together determine that it is in the interests of the healthcare entity to pay the ransom, recent decisions by the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) and its Financial Crimes Enforcement Network (FinCEN) substantially increase the potential fines and penalties not to hackers but to victims of ransomware attacks who choose to pay ransom. These include both civil and criminal penalties for violating U.S. and international export sanctions, money laundering, fund transfer crimes, and other bank regulatory offense – even for healthcare entities responding to a sudden emergency. KJK can help reduce or avoid the liability that might inure to healthcare companies in connection with their incident response to cyber attacks and ransomware. We can also help effectively obtain cryptocurrency, tumbling, escrow or legal funds transfer services to assist in ransomware payment.
Ransomware Forensics: KJK can also retain the services a highly technical and sophisticated cyber investigators and forensics companies, helping ensure that the internal investigation is, at least initially protected by applicable privileges, and ensuring that the healthcare entity has the maximum flexibility to investigate and respond to the attack, and to coordinate its response as appropriate with local, state, federal and international cybercrime investigators and law enforcement entities.
Data Breach Notification and Advice: KJK also provides data breach notification advice and services. Globally, there are hundreds of different data breach notification statutes and regulations, each with different requirements for whom to notify, how to notify, when to notify, whether to notify, and what to say. Needless to say, this represents a potential landmine for healthcare companies that may – or may not – suffer a reportable data breach. KJK will work with its partners to determine whether data breach notifications are required, and the best way to handle them consistent with the law and regulation. Remember, it is just as bad to report a breach that did not occur than to fail to report one that did.
Healthcare Regulation Compliance: Various laws and regulations impose duties on healthcare entities not only with respect to data security and integrity, but on the quality of healthcare services provided. A ransomware attack can impact these regulations. KJK can help healthcare entities ensure that the response to ransomware does not adversely impact patient care and treatment, and ensure continued compliance with these laws and regulations.
Post-Incident Litigation: If a healthcare entities is affected by a data breach, a cyber incident, or a ransomware attack, in addition to regulatory investigations (HHS, FTC), healthcare entities are also frequently the victims of class action litigation by patients, employees, or third parties impacted by the cyber incident. KJK can help by being prepared for such litigation, and help defend such litigation with fact, investigation, and legal and technical expertise.
In short, we can help. Contact Mark Rasch (firstname.lastname@example.org /301.547.6925) to find out how.
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.