Cybercrime Holds Health Care Organizations Hostage
Computer hackers insert malware on a large hospital network, which encrypts the hospital’s systems, forcing the hospital to revert to paper records, and potentially compromising patient care. The only way the hospital can regain control of its systems is to pay a ransom — in bitcoin currency.
Security incidents such as a ransomware attack can raise unique legal questions and may trigger actions based on a number of statutes, regulations, and regulatory agencies.
It may sound like the plot of a Hollywood blockbuster, but this was the recent reality for Hollywood Presbyterian Hospital in Los Angeles for 10 days in February 2016. While the real-life data hostage situation took many by surprise, unfortunately, these situations are common — though most organizations are able to avoid the public relations nightmare that befell Hollywood Presbyterian.
These types of cyberattacks involve hackers inserting malware (i.e., a computer virus) on the hospital’s network, which encrypts a variety of system and data files, making the data unreadable and the systems inaccessible. The insertion of the malware was likely via “phishing,” a method whereby hackers send emails to employees with a link containing the malware. Once an employee clicks the link, the malware is inserted onto the network.
Ransomware locks down systems
The malware in this type of cyberattack is called “ransomware” — malicious software that encrypts key system and data files and then demands a ransom in exchange for the encryption key to unlock the files. In this case, after 10 days of locked down systems, the hospital’s leadership decided to pay the ransom in order to regain access and control of the hospital’s systems. The hospital paid $17,000 in an internet currency known as “bitcoin,” a payment method designed to be untraceable. In addition to the ransom, the hospital will spend significant resources evaluating the event and remediating systems and processes to ensure it doesn’t happen again.
Asking the right questions after an incident
After a security breach, health care organizations must figure out how the event occurred, and why the organization was unable to react in a timely manner to isolate and quarantine the malware and restore systems to functionality. Answering the following questions will be a significant part of the post-incident analysis:
- Was backup data available and deployable?
- If this attack was delivered through email, did the employees have user awareness training on the topic of phishing and how to identify malicious emails?
- If this attack came from an employee visiting a website or clicking a link, did the organization have web content filtering in place?
- What controls should have been in place to either prevent the attack or mitigate the effects?
- Was a risk analysis done on the controls that existed prior to the attack?
These questions are the starting point of an in-depth, post-incident review designed to help the organization learn from the event and minimize the likelihood of recurrence.
Risk assessment and mitigation
The unfortunate events at Hollywood Presbyterian provide an opportunity for other organizations to learn from their hard lessons. Asking questions similar to post-incident questions can provide for proactive risk assessment and risk mitigation:
- If we lost or someone took our data tonight, could we get it back tomorrow?
- When was the last time the disaster recovery and business continuity plan were reviewed, tested, and updated?
- How have our systems changed since the last time your disaster recovery plan was updated?
- Do members of our team know how to spot a dangerous email?
- How often are we refreshing our training messages related to cybersecurity?
- Have we performed simulated email phishing attacks, and if yes, how did we fare?
- Are we using our computer systems appropriately?
- Which internet sites are actually needed to conduct business and which should be blocked?
- Have we completed a risk analysis and considered what types of threats exist?
- Have we corrected the issues that were identified as threats?
Legal considerations after breaches
Security incidents such as a ransomware attack can also raise unique legal questions and may trigger actions based on a number of statutes, regulations, and regulatory agencies. Finding the answers to these questions will require the advice of legal counsel. Organizations that have been the victim of ransomware may have to consider notification obligations, potential liability, reporting to regulatory bodies, and cyber insurance coverage. It will be necessary to determine whether the hospital’s information was accessed or compromised, and exactly which information was compromised. This data will determine how federal and state laws will apply, based on the statutory definition of a breach.
Additionally, there will be a review of the health care organization’s cybersecurity insurance to determine whether the security incident is covered, and which associated expenses are covered. Finally, the long-term legal repercussions may include required patient notifications, investigation by the Department of Health and Human Services Office of Civil Rights (which investigates violations of HIPAA), and possibly private class action lawsuits for breach of privacy.
How we can help
Cybercrime is nothing new in the health care industry. It has been reported to be a six billion dollar a year problem. By all indications, the health care industry is increasingly a target for hackers, as the black market value of a health care record is worth 10 to 20 times more than a credit card number. Due to the amount of information in health care records, they have a longer shelf life in the black market than stand-alone financial information.
The Hollywood Presbyterian example stands out because a ransom was demanded and paid. If you find it difficult to answer the questions above, or have concerns about your organization’s answers, it’s time to work with professionals who can provide you with the tools you need to mitigate the risks that are so prevalent today.
The key to managing cybersecurity risks is advanced planning. The CLA health care information security team can help your organization identify potential weaknesses and provide recommendations to strengthen your defenses. If your organization is a victim of a security incident, CLA provides incident responders immediately.
To manage legal risk, the law firm of Nilan Johnson Lewis has experience with incident response planning, risk assessments performed under attorney-client privilege, and incident response performed under attorney-client privilege. Together, CLA and Nilan Johnson Lewis can provide the technical and legal assistance needed to address cybersecurity risks.