Ransomware Attacks Are On The Rise: Are you Prepared?
By Procopio Partner Robert Marasco, Senior Counsel Elaine Harwell, and Diana Sfrijan
Cybercriminals are threatening data-extortion plots against the U.S. healthcare system, the FBI and two other federal agencies warned on October 28th. The plots are ransomware cyberattacks designed to lock up hospital information systems, which could lead to data theft and cause significant disruption of patient services as COVID-19 case numbers continue to surge.
At least five American hospitals have been impacted by the cyberattacks this week, and security experts warn that hundreds more may be affected. Experts say that the magnitude of this latest wave of cyber threats is unparalleled, and the cybercriminal group responsible appears to be a Russian-speaking criminal gang.
This latest wave of cyber threats against the U.S. healthcare system is part of a growing trend. A ransomware attack in September slowed all 250 facilities of the Universal Health Services hospital chain. Universal’s doctors and nurses were forced to revert to antiquated recordkeeping methods—the old paper and pencil—while lab work slowed and patient monitoring equipment faltered. So far in 2020, at least 59 U.S. healthcare providers/systems have been affected by ransomware, interfering with patient care at 500+ facilities.
If you find yourself a victim of a ransomware plot, whether in healthcare or not, here are some guidelines to help weather the attack:
- Engage your in-house and outside counsel.
- Decide, with your counsel, whether to inform the FBI.
- Engage your crisis management team.
- Begin execution of your data incident response plan.
- Notify your insurance broker and/or cyber-insurance carrier.
- Investigate the incident.
- Stop any additional loss and prevent further exposures.
- Assess the fallout.
- Learn from the incident and improve your response plan and system security.
Even before you become a victim to ransomware, there are measures to take that will mitigate the possibility of being infiltrated. Besides working with outside counsel to plan and prepare for the steps above, you should consider doing the following:
- Educate your workforce, e.g., utilization of strong passwords, think before you click, locking devices, avoiding public WiFi.
- Restrict access to data as much as possible.
- Encrypt data.
- Conduct regular security risk assessments.
- Backup to a secure, offsite location.
- Evaluate the cybersecurity posture of your vendors.
Please feel free to speak with your contact or anyone at Procopio if you would like assistance with implementing the recommended measures, improving your existing plans, or if you have been subject to a ransomware attack.
Robert G. Marasco is the leader of Procopio's Health Care practice group and a member of its Privacy and Cybersecurity practice group. He aids clients in a wide spectrum of business situations. In the civil context, he acts as an outside general counsel to a variety of businesses advising on various legal and business matters, and also leads the strategic litigation needs of these businesses. In the health care context, Robert advises clients, including independent physician associations, foundation-based physician groups, and other medical practices on health care compliance and fraud and abuse, the Anti-Kickback Statute, the Stark Law, and defends clients against OIG health care audits and False Claims Act matters and governmental investigations. He also advises on compliance with health care privacy laws such as HIPAA and the California CMIA, investigates data privacy compliance, and responds to data breaches.
Elaine F. Harwell is a Co-Leader of Procopio’s Privacy and Cybersecurity practice group. Elaine is an experienced business litigation attorney and a trained privacy professional. Her practice focuses on representing clients in privacy and data security matters, including litigating claims involving privacy issues, helping clients manage emerging risks and conduct privacy risk assessments, and advising on regulatory and compliance issues. Elaine thrives on counseling clients through a complex and ever-changing data privacy landscape and strives to find effective business solutions for clients in every situation. She has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) and the Certified Information Privacy Manager (CIPM) credentials through the International Association of Privacy Professionals (IAPP).