Ransomware Particularly Inflicts Health Care and Life Sciences Organizations
Ransomware is a malicious cyber threat vector that employs encryption malware to prevent users from accessing their systems and data unless ransom is paid in exchange for decryption keys. What once was simple extortion has morphed into a triple threat. Criminal hackers now not only threaten to publish data unless a ransom is paid with crypto-currency in exchange for an unlocking key and assurances that any data taken are deleted, but also increasingly exfiltrate sensitive data and share it with others, often host governments adverse to U.S. interests. These hackers also use the data of a victim’s customers or contacts to perpetrate additional exploits.
The recent ransomware attack against Colonial Pipeline shut down gasoline supplies for much of the East Coast and highlighted the vulnerability of our critical infrastructure of which the health care and life sciences sector is an important part. One easily can envisage the risk to hospitals, for example, being cut off from their electronic records needed to evaluate their patients, who then might not be able to get life-saving care. Likewise, pharmaceutical and medical device companies are at great risk if their coded clinical trial participant data, some of which contain trade secrets, are implicated in a ransomware attack. In sum, thieves crave health care data for a variety of reasons, including the weaknesses of their targets’ cybersecurity, the potential utility of identifiable personal information, the value of clinical and device intellectual property, and because health information can be used as the basis for phony billings to federal and state payment authorities. And many, if not most, of these cybercriminals, are based in countries, China and Russia particularly, that protect them from the reach of U.S. law enforcement.
As a result, many institutions have met ransomware attacker demands and paid requested ransoms, seeing it as the most efficient manner of handling the situation. They have been supported by their insurers who have reckoned that the costs of system repair and data restoration often exceed the cost of ransom payment. However, because the demands have escalated, hackers have been proving more ambitious and less reliable, and, most significantly, the U.S. government has come to recognize that ransomware attacks on elements of the critical infrastructure, including entities related to health care, are jeopardizing national security, the payment and compliance landscape has changed.
Recently, the Federal Bureau of Investigation (“FBI”), the U.S. Department of Health and Human Services (“HHS”), and the Cybersecurity & Infrastructure Security Agency (“CISA”) released a report calling attention to the rampant ransomware activity targeting the health care sector. Other parts of the Executive Branch, including the U.S. Department of Justice itself, have stated that ransomware is now a top priority for law enforcement and national security. Additionally, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has cast a warning cloud over the payment of ransom to hackers who might be agents of countries hostile to the United States.
Given this evolution of enforcement policy, while as it indeed was in the case of Colonial Pipeline, which deemed it necessary to pay a ransom, it is manifestly more necessary than ever for an entity to have robust compliance and resilience measures in place to provide for security, regulatory oversight, and federal and state enforcement.
Thus, this Client Alert summarizes (a) the changing regulatory and enforcement landscape and risks for health care organizations, (b) proactive measures health care organizations should take to help prevent ransomware attacks, and (c) reactive measures that a health care organization should take in the wake of a ransomware attack.