Addressing Ransomware in Healthcare

Ransomware in the healthcare sector presents a fundamental threat to health and wellbeing, potentially denying patients access to life-saving technology and jeopardizing individuals’ medical privacy.

We saw an alarming increase of ransomware attacks on healthcare systems in 2021—with more than 65 reported ransomware attacks on healthcare organizations in the third quarter alone and two-thirds of organization reporting that they had been targeted by ransomware strikes—a trend that is likely to continue in 2022.

Some ransomware groups specifically target the healthcare sector, believing that a successful attack is more likely to elicit a payment given the chaos it can cause. Increasingly, these attacks involve not just the encryption of systems and files, rendering them inaccessible until a ransom is paid but also the theft of and threat to publish data in order to increase the leverage against victims. Such attacks have impacted the delivery of health services, at times, resulting in dire health outcomes.

Law enforcement authorities at all levels of government have recognized the grave threat ransomware poses to the healthcare system. In late 2020, the federal Cybersecurity and Infrastructure Security Agency issued an alert in conjunction with the Department of Health and Human Service and the Federal Bureau of Investigation highlighting the urgent threat of ransomware to healthcare providers.

Federal authorities have also taken steps to coordinate their activities with state and local law enforcement entities. For instance, the White House’s Deputy National Security Advisor briefed a bipartisan group of state Attorneys General on cybersecurity priorities in June 2021, and federal Homeland Security officials recently stressed the importance of state and local partnerships in combatting ransomware attacks in Congressional testimony.

While heightened awareness of ransomware threats and increased law enforcement resources to combat those threats are invaluable tools in the battle against cybercriminals, significant challenges remain for private companies. Healthcare providers must address difficult questions about if and when to pay a ransom, how to address patient concerns over data security, and how to combat operational and reputational damage from ransomware attacks.

Further, while understanding that healthcare entities are victims in these scenarios, law enforcement authorities have made plain that healthcare companies must be diligent about meeting federal, state, and local notification requirements when data breaches occur. These requirements can include submitting written “breach reports” to authorities and making timely notifications directly to individuals’ whose data has been compromised.

More generally, federal and state governments continue to consider legislation and develop regulations around preventing and reporting ransomware attacks that signal that ransomware attacks will increasingly bring with them heightened regulatory scrutiny. Such scrutiny will address the steps the companies took to prevent the attack, how promptly they reported it and what steps they took to mitigate the effects.

Given these challenges, healthcare organizations can and should be proactive in combatting the harm caused by ransomware by engaging professionals with expertise in addressing ransomware attacks. Cybersecurity firms can work to develop plans to prevent ransomware attacks, and outside counsel can assist in developing a response plan should such an attack occur. This response plan should outline the factors that a company would consider in deciding whether to pay a ransom, identify who would need to be consulted, and advise on threat mitigation and containment strategies.

Healthcare organizations should then test their response plans through tabletop exercises and work with their IT specialists to address key vulnerabilities. Equally important is putting in place a well-developed business continuity plan so that healthcare organizations can continue operating and delivering life-saving care, even when faced with a ransomware threat. Given the evolving nature of ransomware attacks, all healthcare organizations need to be armed with the tools and expertise to prevent and swiftly respond to these attacks to protect their patients’ private medical data and to ensure continuity of care.

Melissa Crespo is a member of the firm’s Privacy + Data Security practice where she helps clients navigate a variety of privacy challenges and data security matters, with particular experience with the Health Insurance Portability and Accountability Act (HIPAA).

Kate Driscoll is a member of Morrison & Foerster’s Investigations + White Collar Defense Practice Group. She previously served as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Eastern District of Pennsylvania.

Alex Iftimie is partner and co-chair of Morrison & Foerster’s Global Risk and Crisis Management group. Drawing on his experience at the National Security Division of the U.S. Department of Justice, Alex advises clients all aspects of cyber breach preparedness and response.

Nathan Reilly a member of the firm’s Investigations + White Collar Defense Practice Group. He previously served as senior litigation counsel in the U.S. Attorney’s Office for the Eastern District of New York.