[BreachExchange] The Cost of Ransomware Attacks Can Reach Far Beyond the Ransom Payment Itself

[Audrey McNeil]

http://www.healthcare-informatics.com/article/cybersecurity/cost-ransomware-
attacks-can-reach-far-beyond-ransom-payment-itself

The ransomware epidemic continues to spread. According to the Federal
Bureau of Investigation, ransomware victims in the United States reported a
total of more than $209 million in losses in the first three months of 2016
alone. The U.S. Department of Justice has reported that an average of 4,000
ransomware attacks occur in the United States each day.

Given the amount of sensitive data maintained by healthcare providers, and
the reality that certain providers’ cyber defenses are less robust than
those in place in other industries such as financial services, the
healthcare industry is an attractive target for cybercriminals. As the
proliferation of ransomware continues, an increasing number of healthcare
providers have fallen prey to these attacks. In a blog post, Jocelyn
Samuels, director of the U.S. Department of Health and Human Services
Office for Civil Rights (OCR), described the possibility of cyberattacks
conducted using ransomware and other means as “[o]ne of the biggest current
threats to health information privacy.” Indeed, many recent ransomware
attacks have targeted major healthcare institutions. For example, in
February 2016, ransomware at Hollywood Presbyterian Medical Center in
California compromised access to the hospital’s computer systems for
several days. Hollywood Presbyterian announced that it paid a ransom to
unfreeze its files, but the cost of a ransomware attack can reach far
beyond the ransom payment itself.

Paying the Ransom: Just the Beginning?

In the prototypical ransomware attack, a hacker installs malware on a
company’s computer systems that prevents users from accessing critical
data, often by encrypting that data. As the moniker “ransomware” would
suggest, perpetrators then demand payment from the victim company in
exchange for unlocking or returning the data.

Hackers can gain access to company computer systems through a variety of
means, ranging from “planting” a seemingly misplaced thumb-drive carrying
malware in a company parking lot (where it can be discovered by a
well-meaning employee and inserted into a company computer), to spear
phishing or other social engineering ploys to gain login credentials.
Thanks to the availability of digital currency transactions, hackers can
enjoy fast, remote, relatively anonymous access to cash paid by their
sometimes desperate victims.

The healthcare industry is a particularly attractive target for ransomware
attacks given the amount of data providers maintain, the importance of the
data, and the gravity of denying access to that information. Blocking
critical patient data can have crippling effects on the operations of a
healthcare provider. When faced with potentially deadly consequences, some
healthcare providers may feel pressure to pay the ransom, but succumbing to
a hacker’s ransom demands may mark only the beginning of the company’s
problems.

First, paying the ransom does not guarantee that the hackers will unlock
the company’s data, and there is no way to ensure that the hackers will not
corrupt or otherwise alter the data before returning the information to the
victim healthcare provider. Paying a ransom also may embolden the attacker,
encouraging further attacks on the institution itself or on other
similarly-situated organizations within the industry.

Moreover, paying a ransom does not resolve the issue of any protected
health information (PHI) affected by the attack. Ransomware attacks
resulting in unauthorized “acquisitions” of PHI barred by the Healthcare
Insurance Portability and Accountability Act (HIPAA) may trigger a
provider’s notice obligations unless the covered entity can demonstrate a
“low probability that the [PHI] has been compromised,” according to federal
regulations. Otherwise, victim healthcare providers may need to provide
notice to HIPAA’s primary enforcement agency, HHS OCR, and affected
patients, among others. Companies then may face exposure to broad and often
burdensome investigations, the scope of which may extend far beyond the
parameters of the initial breach into a company-wide security program
review.

Substantial payments can be required to resolve government investigations
initiated by instances of unauthorized acquisitions of PHI. For example,
earlier this year, HHS OCR announced that Advocate Health Care Network
agreed to adopt a corrective action plan and pay $5.55 million to resolve
potential HIPAA violations following breaches that affected the electronic
PHI of approximately four million individuals. Similarly, in 2014, New York
Presbyterian Hospital agreed to a corrective action plan and a $3.3 million
payment to settle potential HIPAA violations.

How to Be Prepared

The time to start thinking about containment and mitigation is before an
attack occurs. Responding to a ransomware attack can be daunting, but
healthcare providers should consider the following key data management and
information governance strategies when assessing the security of their
systems:

Conduct periodic cyber-risk audits to identify any areas of weakness,
ranging from potential external penetration to insider actions.
Develop, codify, and train personnel on a comprehensive data breach
response plan with clearly assigned responsibilities.
Maintain proper computer system hygiene, including implementing regular
system and application updates to avoid exposure to malware through
outdated, unsupported, or improperly patched software.
Implement robust data back-up systems, segregated from other company
systems.
Enable mechanisms for quick system restoration from these back-ups when
required.
Evaluate sources of ransomware risk, educate personnel on common strategies
employed by hackers, and implement basic supporting mechanisms (e.g., train
personnel to avoid phishing techniques and alert personnel when email has
been sent from outside the company).
Regularly update policies and procedures to incorporate lessons learned and
to stay abreast of current trends.

If an incident does occur, providers should be prepared to activate their
data breach response plan.  A key component of such plans is engaging with
law enforcement and regulators. Given the sensitive nature of these
communications and the potential impacts on future regulatory
investigations and litigation, it is often helpful to engage in such
communications through experienced outside counsel.

Healthcare providers must take deliberate steps to prevent and mitigate the
impact of ransomware attacks. While not exhaustive, the steps enumerated
above can help better position companies for successful navigation through
these high-pressure and often high-stakes situations.

Guidance on how to protect against ransomware is available from the U.S.
Department of Homeland Security, the U.S. Department of Health & Human
Services Office for Civil Rights and the U.S. Federal Trade Commission.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161223/8061d6f0/attachment.html>