Tom Sullivan | October 20, 2021
Ransomware is so rampant that more than 4,000 attacks have been launched every day since 20161 including some 65,000 attacks in 2020 alone 2 such that 68 percent of organizations in the U.S. were attacked and ultimately paid the ransom last year. 3
The security threat has once again been elevated to the White House, which issued an open letter in September cautioning that U.S businesses need to deploy tactics to “disrupt and deter” ransomware attacks. Such action would be similar to what the federal government is undertaking4 in response to successful security incidents bringing down the IT networks of Colonial Pipeline and the meat packing giant JBS USA Holdings during the summer.
Last week, the Biden Administration held a closed-door Counter-Ransomware Initiative meeting5 during which 32 countries, notably excluding Russia, began steps to identify ways to thwart ransomware attacks.6 “From malign operations against local health providers that endanger patient care, to those directed at businesses that limit their ability to provide fuel, groceries, or other goods to the public, ransomware poses a significant risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity,” the ministers and representatives of the Counter-Ransomware Initiative noted in a joint statement.7
While that particular initiative spans many industries, health care consistently ranks among the most-targeted sectors when it comes to ransomware attacks, following only the public sector and professional services in a recent report.8
Critical future considerations for ransomware
Many CEOs, in health care and other sectors, have or will obtain their ransomware education in a difficult manner: Sitting in a conference room alongside attorneys and law enforcement, likely the FBI, negotiating via phone with the criminals demanding payment to return access to locked data and literally learning how to lead the organization through the crisis in real-time.
While the critical decisions at that point have historically been whether or not to pay and when to issue breach notifications, neither matter is simple — even for organizations with off-site backup datacenters that enable business continuity while on-premise data is encrypted — and four considerations could complicate matters even further:
Hybrid workforces are less secure and introduced new vulnerabilities
As the pandemic catalyzed remote and hybrid work, the new conditions also increased the number of endpoints. Morevoer, because organizations virtualized parts of the workforce essentially overnight many achieved that feat without time to prepare security controls accordingly.
Many organizations’ security protocols, in fact, have become more lenient in hybrid environments than they are in physical facilities. More than half (61 percent) struggled to establish secure remote work capabilities,9 a reality made worse because 35 percent believe that employees circumvented or even disabled security measures. 10 As a result, 53 percent of organizations that prioritized remote access over security now have risks from doing so that include the unsanctioned use of applications and unchecked policy violations.11
Security professionals said the top concerns of new hybrid workforces include the security of home internet connections, leaked sensitive company information and cyberattacks, including ransomware.12 As many as 99 percent of 1,500 security professionals across various industries indicated that they do not believe all of their end points are protected,13 which poses considerable risk.
Other common security concerns include poor data protection methods, lack of privacy in the home, phishing attacks, poor password management and compliance violations.14
And since the health care industry and the public sector are already under resourced security-wise and tend to be among the slowest to resolve security incidents, 15 it is not surprising that only 5 percent of security professionals claimed to have “no security concerns” about a hybrid workforce.16
COVID-19 made contracting with third-parties harder but even more necessary
In response to risk factors catalyzed by the pandemic, notably remote work, systems to support virtual work and care delivery, as well as staffing challenges, health care organizations are planning to contract with more third parties in the next 12 months. The average number of such arrangements will rise from 1,950 presently to an average of 2,541 per organization.17
“Third-party products and services are a necessary and critical part of the IT blueprint, but each brings another set of risk factors to the table. Some risks are inherent to the third party such as secure operating systems and other software in medical devices. Other risks involve storing protected health information (PHI) on cloud-based systems that weren’t meant to support it. In either case, the risk created by the third party needs to be managed,” according to the Ponemon Institute report The impact of ransomware on health care during COVID-19 and beyond, sponsored by Censinet. “The burden is on the health care organization to perform assessments throughout their relationship with the third party.”
Yet Ponemon found that only 40 percent of participants “always complete a risk assessment” with third parties prior to contracting and only 15 percent conduct annual reassessments of third-party products and services.18 Ponemon also cautioned that certifications and frameworks such as HITRUST or SOC do not necessarily replace the need for regular reassessments.
Further, when assessments uncovered gaps in a third-party’s practices or policies, only 44 percent took that risk seriously enough to switch to another third-party, while 51 percent required the contractor to remediate the gap and 50 percent assisted in such remediation of third-party privacy and security protocols.19
The growth of engaging third-parties in accordance with the pandemic-driven need to manage information security and protect against attacks such as ransomware requires more vigilance among executives when managing those partnerships.
Lawmakers are looking to make disclosure rules more aggressive
The argument in favor of not alerting authorities, patients or members after an attack rather than immediately disclosing it or issuing a breach notification is that executives need time to investigate, particularly when the FBI is involved. Executives need time for their teams to monitor servers and systems that are impacted, identify and ideally apprehend malicious actors, evaluate what assets they leveraged to perpetrate the attack and then determine the most appropriate messaging to the public. But as more states institute breach notification rules20 and organizations make that information public,21 the old adage that ransomware does not necessarily lead to a breach is vanishing.
Earlier this month, in fact, Senators Elizabeth Warren (D-MA) and Rep. Deborah Ross (D-NC) introduced the bicameral Ransom Disclosure Act.22 The proposed legislation would require organizations that pay a ransom to notify the Department of Homeland Security within 48 hours of doing so and provide key pieces of information relative to the incident, including: the date the ransom was demanded and when it was paid, the amount demanded and paid, the currency including cryptocurrency used to make the payment, whether the covered entity receives federal funds and any other relevant information about the identity of the actor demanding ransom.
The proposed legislation has both been criticized for turning targets into victims by forcing organizations to disclose the attack and not protecting related details from Freedom of Information Act requests23 and it has been lauded as a step toward easing the stigma associated with being a victim of just such an attack.24
That bill’s fate remains to be seen but other regulatory changes are being enacted to alter breach disclosure. The Federal Trade Commission in September, for example, clarified a 2009 Health Breach Notification policy statement and warned that makers of apps and devices which collect personal health information are obligated to notify consumers in the event their data is breached or intentionally shared without prior consent. 25
Also in September, the U.S. Treasury Department’s Office of Foreign Assets Control updated its guidance with information about potential sanctions for making and facilitating ransomware payments, including an explanation that it added the SUEX cryptocurrency exchange to its Specially Designated Nationals and Blocked Persons List for facilitating ransom payments to criminals.26 OFAC also reiterated the U.S. government’s stance on strongly discouraging ransom payments and explained that disclosing the attack and cooperating with law enforcement would be considered mitigating factors.
Post-attack lawsuits appear poised to become commonplace
After Scripps Health’s high-profile data breach, the health system is facing multiple class-action lawsuits alleging that it failed to adequately protect patient data and potentially exposed those individuals to identity theft or medical fraud.27
Scripps Health is just one example. Springhill Medical Center is another. A new lawsuit alleges what could be the first death attributable to a ransomware attack because the provider did not pay the ransom, which the suit says led to a preventable death.28 The case has subsequently resulted in a negligent homicide investigation.29
In another example, a class-action lawsuit was filed against Northwestern Medical for not guarding sensitive data from a breach30 that involved Elekta, the radiation equipment vendor at the center of a separate lawsuit against it for an April data breach.31
Those are just a few of the expanding number of instances in which patients are suing hospitals, and health systems are suing technology vendors, that portend a future in which ransomware and other cyberattacks become part of medical malpractice lawsuits.32
While HIPAA’s Breach Notification rules require covered entities to notify consumers and the U.S. Department of Health and Human Services when unauthorized access to protected health information occurs,33 and it is viewed as the strictest of federal data protection laws,34 the rule constitutes minimum requirements and HHS recommends covered entities implement more stringent information security protocols.35
What’s more, the post-attack great unknown is whether sensitive data was simply encrypted until the ransom was paid and the keys returned to unlock it and the criminals moved onto the next victim or they exfiltrated the data in what is becoming an increasingly common tactic36 and the crux of the problem could re-emerge again in the future to create new and previously unforeseen complications.
That the threat vector continues to expand as attackers become increasingly sophisticated37 is well understood and not likely to change anytime in the near future. The business model, after all, functions reasonably well for cyber criminals; that’s why malicious actors deliver the tools to unlock data 98 percent of the time38 and victims regain access to 97 percent of their data.39
Despite early promises by cybercriminals not to attack health care entities during the pandemic,40 only 47 percent have actively blacklisted the sector 41 and HHS in mid-September issued a warning about BlackMatter, 42 one such group that claims not to target health care.
In addition to baseline information security protocols that should already be established, CEOs, C-suite executives and privacy and security leaders need to be steadfast in more effectively and routinely securing virtual workers, managing third parties that have access to health data, monitoring and preparing for regulatory changes that can impact disclosure protocols and understanding the potential for law suits to emerge after attacks.
Sources & Citations
1. U.S. government interagency report, How to protect your networks from ransomware
2. Recorded Future* via NPR, US suffers over 7 ransomware attacks an hour. It’s now a national security risk *Recorded Future confirmed the statistic but does not have a formal report containing it at this point.
3. Statista, Share of organizations in the United States that experienced a ransomware attack and paid the ransom in 2020
4. The New York Times, White House warns companies to act now on ransomware defenses
5. White House, Background on the virtual Counter-Ransomware Initiative meeting
6. NextGov, White House unveils 32 countries invited to participate in ransomware meeting
7. White House, Joint state of the ministers and representatives from the Counter-Ransomware Initiative meeting
8. Coveware, Q2 ransom payment amounts decline as ransomware becomes a national security priority
9. Palo Alto Networks, The state of hybrid workforce security 2021
10. Palo Alto Networks, The state of hybrid workforce security 2021
11. Palo Alto Networks, The state of hybrid workforce security 2021
12. Entrust, Securing the new hybrid workforce
13. Deep Instinct, Voice of SecOps report, 2nd edition
14. Entrust, Securing the new hybrid workforce
15. Deep Instinct, Voice of SecOps report, 2nd edition
16. Deep Instinct, Voice of SecOps report, 2nd edition
17. Ponemon Institute, The Impact of Ransomware on healthcare during COVID-19 and beyond
18. Ponemon Institute, The Impact of Ransomware on healthcare during COVID-19 and beyond
19. Ponemon Institute, The Impact of Ransomware on healthcare during COVID-19 and beyond
20. Foley & Lardner, State data breach notification laws
21. IAPP, State data breach notification chart
22. Elizabeth Warren, Ransom Disclosure Act
23. The Hill, Opinion: Warren’s ransomware bill victimizes targets
24. Security Magazine, Ransom disclosure act would require victims to disclose ransom payments within 48 hours
25. Federal Trade Commission, FTC warns health apps connected device companies to comply with health breach notification rule
26. U.S. Treasury Department, Updated advisory on potential sanctions risks for facilitating ransomware payments
27. San Diego Tribue, Scripps Health faces dual class-action suits citing ransomware records breach
28. Wall Street Journal, A hospital hit by hackers, a baby in distress: The case of the first alleged ransomware death
29. CPO Magazine, Ransomware attack on Springhill Medical Center leads to a negligent homicide investigation after a baby dies
30. Bloomberg Law, Northwestern Medicine hit with proposed data breach class action suit
31. Compliancy Group, Healthcare vendor ransomware attack stalls cancer treatments, 170 health systems hit
32. SC Magazine, Lawsuits allege death, morbidity from cyberattacks: Is this the next phase of medical malpractice?
33. U.S. Health and Human Services Department, Ransomware fact sheet
34. Varonis, Ransomware: The legal cheat sheet for breach notification
35. HHS, Ransomware fact sheet
36. Center for Internet Security, Ransomware: The data exfiltration and double extortion trends
37. Reuters, Ransomware state of the union: Regulatoins, trends and mitigation strategies
38. Coveware, Ransomware costs double as Ryuk, Sodinokibi proliferate
39. Coveware, Ransomware costs double as Ryuk, Sodinokibi proliferate
40. Forbes, Hackers promise ‘No more health care cyber attacks’ during COVID-19 crisis
41. KELA, The ideal ransomware victim: What attackers are looking for
42. HHS, Demystifying BlackMatter