FBI Announces Ransomware Attacks Targeting U.S. Hospitals and Healthcare Providers
On Wednesday, October 28, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the FBI announced an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” Preliminary news reports have identified that several institutions have already been affected by an attack. Ransomware attacks have targeted and crippled a variety of organizations, both large and small, including government agencies. The goal of a ransomware attack is to encrypt and make unusable all of a company’s data as fast as possible and receive a ransom in exchange for that data’s return.
The Health Insurance Portability and Accountability Act (“HIPAA”) governs the privacy and security standards that must be afforded to protected health information, which is compromised in most cyberattacks involving healthcare providers. HIPAA requires covered entities and business associates to conduct regular risk analyses and implement safeguards accordingly. A risk analysis is intended to cause the organization to document its comprehensive practices, evaluate areas of risk, and to protecting against identified vulnerabilities. Risk analyses must be conducted on a regular basis, including when internal protocols change or are updated, to account for novel risks and to reevaluate the reasonableness of existing safeguards.
An assessment, however, is not enough. Pursuant to HIPAA, entities must maintain comprehensive disaster contingency plans detailing how they will continue to operate in the event of an attack or disaster. An effective response plan must have clear reporting structures to enable efficient responses to security incidents. Additionally, companies must be able to quickly isolate affected systems and networks while allowing unaffected systems to continue operating. The more time an organization spends deciding how to react instead of responding, the greater the spread and impact of the attack.
Additionally, in the event of a ransomware attack, payment of a ransom is not recommended by several federal agencies. For example, on October 1, 2020, the Department of Treasury Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network issued a joint advisory underscoring that payments of ransoms to malicious cyber actors may implicate federal sanctions laws. OFAC recommends that any ransomware attack be reported to law enforcement. Any ransomware payment poses a risk because the recipient of the payment is anonymous. Typically, ransoms are demanded through largely untraceable virtual currencies, like Bitcoin. A victim who pays a ransom using a virtual currency typically does not know who is on the receiving end of that payment. As such, the anonymity of the transaction poses significant risk that a payment may reach a sanctioned person or entity in violation of federal law. If a ransom is paid, and if that payment violates sanctions laws, OFAC will consider self-disclosure of the same “to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
How Frier Levitt Can Help
The recent announcement by the FBI reiterates a sentiment that has already been considered by many covered entities and their business associates: healthcare providers are clear targets of various forms of cyberattacks. These organizations must act accordingly to protect their systems and data, prevent these attacks, and ensure their adherence with HIPAA. Contact Frier Levitt for assistance with both preventing and responding to a variety of HIPAA breaches and violations, including the development of comprehensive HIPAA compliance manuals as well as the preparation of appropriate risk analyses given the increased cybersecurity threat identified by the FBI.