The Growing Threat of Cyber Extortion in Healthcare

Cyber extortion, or the act of cybercriminals demanding payment through the use of or the threat of malicious activity against a victim, has increasingly become the method of choice for hackers who are trying to profit from digital crime. Because health care providers store and maintain large amounts of protected health information and other sensitive personal data, cybercriminals frequently target such individuals or organizations. Such attacks can cause serious damage, expose protected health information, and disrupt a provider’s ability to provide care to its patients.  

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has recently published a number of fact sheets and alerts on this issue, due to the significant amount of activity affecting health care organizations. As OCR describes in its alerts, ransomware, Denial of Service (DoS), and Distributed Denial of Service (DDoS) attacks are some of the tactics most frequently employed by cybercriminals. Ransomware, a type of malicious software, attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. In DoS and DDoS attacks, very high volumes of network traffic are directed to targeted computers resulting in the affected computers being unable to respond or appearing inaccessible to legitimate users. Cybercriminals then demand payment to halt the attack. Cybercriminals can also find ways to gain access to an organization’s computer system, steal data from the organization, and then threaten to publish the data. The cybercriminal then uses the threat of exposing the data to force the organization to make payment.

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to assess the vulnerability of their systems and document and correct any discovered vulnerabilities. If your health care organization is affected by a ransomware attack or other type of cyber extortion, there are steps you will need to take to comply with the applicable requirements under HIPAA as well as other legal reporting obligations. At Frier Levitt, we can help you understand these requirements as well as implement policies and practices to reduce the risk of such an attack on your organization. Contact us to learn more.