Ransomware is so rampant that more than 4,000 attacks have been launched every day since 20161 including some 65,000 attacks in 2020 alone2 such that 68 percent of organizations in the U.S. were attacked and ultimately paid the ransom last year.3
The security threat has once again been elevated to the White House, which issued an open letter in September cautioning that U.S businesses need to deploy tactics to “disrupt and deter” ransomware attacks. Such action would be similar to what the federal government is undertaking4 in response to successful security incidents bringing down the IT networks of Colonial Pipeline and the meat packing giant JBS USA Holdings during the summer.
Last week, the Biden Administration held a closed-door Counter-Ransomware Initiative meeting5 during which 32 countries, notably excluding Russia, began steps to identify ways to thwart ransomware attacks.6 “From malign operations against local health providers that endanger patient care, to those directed at businesses that limit their ability to provide fuel, groceries, or other goods to the public, ransomware poses a significant risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity,” the ministers and representatives of the Counter-Ransomware Initiative noted in a joint statement.7
While that particular initiative spans many industries, health care consistently ranks among the most-targeted sectors when it comes to ransomware attacks, following only the public sector and professional services in a recent report.8
Critical future considerations for ransomware
Many CEOs, in health care and other sectors, have or will obtain their ransomware education in a difficult manner: Sitting in a conference room alongside attorneys and law enforcement, likely the FBI, negotiating via phone with the criminals demanding payment to return access to locked data and literally learning how to lead the organization through the crisis in real-time.
While the critical decisions at that point have historically been whether or not to pay and when to issue breach notifications, neither matter is simple — even for organizations with off-site backup datacenters that enable business continuity while on-premise data is encrypted — and four considerations could complicate matters even further:
- Hybrid workforces are less secure and introduced new vulnerabilities
- COVID-19 made contracting with third-parties harder but even more necessary
- Lawmakers are looking to make disclosure rules more aggressive
- Post-attack lawsuits appear poised to become commonplace
Hybrid workforces are less secure and introduced new vulnerabilities
As the pandemic catalyzed remote and hybrid work, the new conditions also increased the number of endpoints. Morevoer, because organizations virtualized parts of the workforce essentially overnight many achieved that feat without time to prepare security controls accordingly.
Many organizations’ security protocols, in fact, have become more lenient in hybrid environments than they are in physical facilities. More than half (61 percent) struggled to establish secure remote work capabilities,9 a reality made worse because 35 percent believe that employees circumvented or even disabled security measures. 10 As a result, 53 percent of organizations that prioritized remote access over security now have risks from doing so that include the unsanctioned use of applications and unchecked policy violations.11
Security professionals said the top concerns of new hybrid workforces include the security of home internet connections, leaked sensitive company information and cyberattacks, including ransomware.12 As many as 99 percent of 1,500 security professionals across various industries indicated that they do not believe all of their end points are protected,13 which poses considerable risk.
Other common security concerns include poor data protection methods, lack of privacy in the home, phishing attacks, poor password management and compliance violations.14
And since the health care industry and the public sector are already under resourced security-wise and tend to be among the slowest to resolve security incidents, 15 it is not surprising that only 5 percent of security professionals claimed to have “no security concerns” about a hybrid workforce.16
COVID-19 made contracting with third-parties harder but even more necessary
In response to risk factors catalyzed by the pandemic, notably remote work, systems to support virtual work and care delivery, as well as staffing challenges, health care organizations are planning to contract with more third parties in the next 12 months. The average number of such arrangements will rise from 1,950 presently to an average of 2,541 per organization.17
“Third-party products and services are a necessary and critical part of the IT blueprint, but each brings another set of risk factors to the table. Some risks are inherent to the third party such as secure operating systems and other software in medical devices. Other risks involve storing protected health information (PHI) on cloud-based systems that weren’t meant to support it. In either case, the risk created by the third party needs to be managed,” according to the Ponemon Institute report The impact of ransomware on health care during COVID-19 and beyond, sponsored by Censinet. “The burden is on the health care organization to perform assessments throughout their relationship with the third party.”
Yet Ponemon found that only 40 percent of participants “always complete a risk assessment” with third parties prior to contracting and only 15 percent conduct annual reassessments of third-party products and services.18 Ponemon also cautioned that certifications and frameworks such as HITRUST or SOC do not necessarily replace the need for regular reassessments.
Further, when assessments uncovered gaps in a third-party’s practices or policies, only 44 percent took that risk seriously enough to switch to another third-party, while 51 percent required the contractor to remediate the gap and 50 percent assisted in such remediation of third-party privacy and security protocols.19
The growth of engaging third-parties in accordance with the pandemic-driven need to manage information security and protect against attacks such as ransomware requires more vigilance among executives when managing those partnerships.
Lawmakers are looking to make disclosure rules more aggressive
The argument in favor of not alerting authorities, patients or members after an attack rather than immediately disclosing it or issuing a breach notification is that executives need time to investigate, particularly when the FBI is involved. Executives need time for their teams to monitor servers and systems that are impacted, identify and ideally apprehend malicious actors, evaluate what assets they leveraged to perpetrate the attack and then determine the most appropriate messaging to the public. But as more states institute breach notification rules20 and organizations make that information public,21 the old adage that ransomware does not necessarily lead to a breach is vanishing.
Earlier this month, in fact, Senators Elizabeth Warren (D-MA) and Rep. Deborah Ross (D-NC) introduced the bicameral Ransom Disclosure Act.22 The proposed legislation would require organizations that pay a ransom to notify the Department of Homeland Security within 48 hours of doing so and provide key pieces of information relative to the incident, including: the date the ransom was demanded and when it was paid, the amount demanded and paid, the currency including cryptocurrency used to make the payment, whether the covered entity receives federal funds and any other relevant information about the identity of the actor demanding ransom.
The proposed legislation has both been criticized for turning targets into victims by forcing organizations to disclose the attack and not protecting related details from Freedom of Information Act requests23 and it has been lauded as a step toward easing the stigma associated with being a victim of just such an attack.24
That bill’s fate remains to be seen but other regulatory changes are being enacted to alter breach disclosure. The Federal Trade Commission in September, for example, clarified a 2009 Health Breach Notification policy statement and warned that makers of apps and devices which collect personal health information are obligated to notify consumers in the event their data is breached or intentionally shared without prior consent. 25
Also in September, the U.S. Treasury Department’s Office of Foreign Assets Control updated its guidance with information about potential sanctions for making and facilitating ransomware payments, including an explanation that it added the SUEX cryptocurrency exchange to its Specially Designated Nationals and Blocked Persons List for facilitating ransom payments to criminals.26 OFAC also reiterated the U.S. government’s stance on strongly discouraging ransom payments and explained that disclosing the attack and cooperating with law enforcement would be considered mitigating factors.
Post-attack lawsuits appear poised to become commonplace
After Scripps Health’s high-profile data breach, the health system is facing multiple class-action lawsuits alleging that it failed to adequately protect patient data and potentially exposed those individuals to identity theft or medical fraud.27
Scripps Health is just one example. Springhill Medical Center is another. A new lawsuit alleges what could be the first death attributable to a ransomware attack because the provider did not pay the ransom, which the suit says led to a preventable death.28 The case has subsequently resulted in a negligent homicide investigation.29
In another example, a class-action lawsuit was filed against Northwestern Medical for not guarding sensitive data from a breach30 that involved Elekta, the radiation equipment vendor at the center of a separate lawsuit against it for an April data breach.31
Those are just a few of the expanding number of instances in which patients are suing hospitals, and health systems are suing technology vendors, that portend a future in which ransomware and other cyberattacks become part of medical malpractice lawsuits.32
While HIPAA’s Breach Notification rules require covered entities to notify consumers and the U.S. Department of Health and Human Services when unauthorized access to protected health information occurs,33 and it is viewed as the strictest of federal data protection laws,34 the rule constitutes minimum requirements and HHS recommends covered entities implement more stringent information security protocols.35
What’s more, the post-attack great unknown is whether sensitive data was simply encrypted until the ransom was paid and the keys returned to unlock it and the criminals moved onto the next victim or they exfiltrated the data in what is becoming an increasingly common tactic36 and the crux of the problem could re-emerge again in the future to create new and previously unforeseen complications.
That the threat vector continues to expand as attackers become increasingly sophisticated37 is well understood and not likely to change anytime in the near future. The business model, after all, functions reasonably well for cyber criminals; that’s why malicious actors deliver the tools to unlock data 98 percent of the time38 and victims regain access to 97 percent of their data.39
Despite early promises by cybercriminals not to attack health care entities during the pandemic,40 only 47 percent have actively blacklisted the sector 41 and HHS in mid-September issued a warning about BlackMatter, 42 one such group that claims not to target health care.
In addition to baseline information security protocols that should already be established, CEOs, C-suite executives and privacy and security leaders need to be steadfast in more effectively and routinely securing virtual workers, managing third parties that have access to health data, monitoring and preparing for regulatory changes that can impact disclosure protocols and understanding the potential for law suits to emerge after attacks.
Sources & Citations
1. How to protect your networks from ransomware, U.S. government interagency report
2. US suffers over 7 ransomware attacks an hour. It’s now a national security risk, Recorded Future via NPR; Recorded Future confirmed the statistic but does not have a formal report containing it at this point.
3. Share of organizations in the United States that experienced a ransomware attack and paid the ransom in 2020, Statista
4. White House warns companies to act now on ransomware defenses, The New York Times
5. Background on the virtual Counter-Ransomware Initiative meeting, White House
6. White House unveils 32 countries invited to participate in ransomware meeting, NextGov
7. Joint state of the ministers and representatives from the Counter-Ransomware Initiative meeting, White House
8. Q2 ransom payment amounts decline as ransomware becomes a national security priority, Coveware
9. The state of hybrid workforce security 2021, Palo Alto Networks
10. The state of hybrid workforce security 2021, Palo Alto Networks
11. The state of hybrid workforce security 2021, Palo Alto Networks
12. Securing the new hybrid workforce, Entrust
13. Voice of SecOps report, 2nd edition, Deep Instinct
14. Securing the new hybrid workforce, Entrust
15. Voice of SecOps report, 2nd edition, Deep Instinct
16. Voice of SecOps report, 2nd edition, Deep Instinct
17. The Impact of Ransomware on healthcare during COVID-19 and beyond, Ponemon Institute
18. The Impact of Ransomware on healthcare during COVID-19 and beyond, Ponemon Institute
19. The Impact of Ransomware on healthcare during COVID-19 and beyond, Ponemon Institute
20. State data breach notification laws, Foley & Lardner
21. State data breach notification chart, IAPP
22. Ransom Disclosure Act, Elizabeth Warren
23. Opinion: Warren’s ransomware bill victimizes targets, The Hill
24. Ransom disclosure act would require victims to disclose ransom payments within 48 hours, Security Magazine
25. FTC warns health apps connected device companies to comply with health breach notification rule, Federal Trade Commission
26. Updated advisory on potential sanctions risks for facilitating ransomware payments, U.S. Treasury Department
27. Scripps Health faces dual class-action suits citing ransomware records breach, San Diego Tribune
28. A hospital hit by hackers, a baby in distress: The case of the first alleged ransomware death, Wall Street Journal
29. Ransomware attack on Springhill Medical Center leads to a negligent homicide investigation after a baby dies, CPO Magazine
30. Northwestern Medicine hit with proposed data breach class action suit, Bloomberg Law
31. Healthcare vendor ransomware attack stalls cancer treatments, 170 health systems hit, Compliancy Group
32. Lawsuits allege death, morbidity from cyberattacks: Is this the next phase of medical malpractice?, SC Magazine
33. Ransomware fact sheet, U.S. Department of Health and Human Services
34. Ransomware: The legal cheat sheet for breach notification, Varonis
35. HHS, Ransomware fact sheet , HHS
36. Ransomware: The data exfiltration and double extortion trends, Center for Internet Security
37. Ransomware state of the union: Regulatoins, trends and mitigation strategies, Reuters
38. Ransomware costs double as Ryuk, Sodinokibi proliferate , Coveware
39. Ransomware costs double as Ryuk, Sodinokibi proliferate , Coveware
40. Hackers promise ‘No more health care cyber attacks’ during COVID-19 crisis, Forbes
41. The ideal ransomware victim: What attackers are looking for, KELA
42. Demystifying BlackMatter, HHS