By The Institute at MagMutualTM
Ransomware attacks have posed a serious threat to healthcare organizations for more than a decade and continue to be a pervasive issue. These attacks have become among the most prominent type of malware and have impacted providers’ ability to provide crucial services. It is thus necessary that healthcare organizations understand the risks associated with ransomware attacks and how they should immediately respond when presented with such a threat.
First and foremost, MagMutual recommends ensuring that your healthcare practice has a comprehensive incident response policy and procedures for dealing with a ransomware attack. Also, that your IT vendor has implemented detection measures to identify ransomware attacks and make certain that staff members understand these detection measures. Lastly it’s imperative to build a post-incident response procedure and appropriately train staff members on how to respond to a ransomware attack.
If your organization is unfortunate enough to suffer a ransomware attack, there are a few steps you should immediately take:
Step 1: Record details of the ransom note and disconnect the affected device from the network.
Take a picture of the ransom note or write down exactly what it says, as it may contain important information for your IT vendor. Then, if possible, disconnect the device from the network instead of shutting the device down. Disconnecting might prevent the ransomware from finding backups and spreading throughout the rest of the network, whereas turning off the affected device could cause valuable forensic data to be lost. Data backups should also be secured and taken offline until IT can assess the situation.
Step 2: Notify your staff and implement downtime procedures.
The practice administrator should immediately notify the entire team and prevent others from logging into the system. Alert all employees and physicians of the situation so they can take precautionary measures to limit any spread to other devices. During this time, use “offline/system downtime” forms and transition to paper documentation/charting consistent with your organization’s business continuity plan.
Step 3: Call your IT vendor to alert them of the attack.
It’s important to have your IT vendor’s phone number saved and easily accessible. IT vendors can conduct a full forensic analysis of your system to determine how the hacker accessed the system as well as the type of data removed, if any. Your IT vendor can also ensure the ransomware hasn’t spread and will help you manage the current situation and make improvements for the future.
Step 4: Notify your local FBI field office.
Though the FBI strongly recommends reporting ransomware attacks, many still go unreported. Notifying law enforcement about the incident may help you and other healthcare organizations avoid attacks in the future. Plus, if law enforcement can locate your specific attacker, there is a chance your files can be decrypted and released without cost. You can find your local FBI field office here.
Step 5: Contact MagMutual or other insurance carrier concerning your cyber liability coverage. If you don’t have a cyber liability policy and are without coverage for the ransomware event, we recommend you work with your IT vendor.
Please note: if unsecured PHI data was breached during the attack, you may have reporting obligations under HIPAA. A forensic IT investigation and consultation with MagMutual or other insurance carrier can help you make that determination.
Step 6: Keep everyone in your organization informed while the issue is being resolved.
Provide consistent, regular updates to all employees. Since responding to a ransomware attack is a fluid situation, you’ll need to update clinicians, staff and patients at different points in the process. You should decide who to contact for updates, when and how often.
Step 7: Consult with appropriate parties and determine whether to pay the ransom.
Many organizations make the decision whether to pay a ransom in consultation with the FBI, their IT vendor and insurance carrier. It’s very important to verify who will be receiving the ransom payment. The U.S. government maintains a list of sanctioned organizations and paying a ransom to a person or entity on the list may be illegal. For example, if the ransom message demands payment in the cryptocurrency Monero, it is likely the hacker is on the sanctioned list because of an affiliation with a terrorist organization or other threat to the United States.
In addition, HHS and the FBI advise against paying the ransom in most cases. Payment does not guarantee that your files will be unencrypted and returned, and your healthcare organization runs the risk of further extortion because the hacker knows you will pay.
Lessons Learned
- Regularly back up your practice’s data. Ideally, backups should be kept on an external hard drive.
- Document all communications related to the ransomware attack and maintain copies of this documentation in one location.
- Conduct annual employee training regarding cybersecurity risk liability and how to mitigate these risks.
Potential Damages
Inappropriate responses to a ransomware attack could open the door to multiple types of violations and potential liability. The risks associated with such an attack range from HIPAA violations and medical malpractice to the False Claims Act. The frequency of such attacks is moderate and these attacks can have serious implications and costly damages for healthcare practices so it is best to be prepared.
MagMutual’s Learning Center offers many additional resources concerning the business, practice and regulation of medicine.
Disclaimer: The information provided in this article does not constitute legal, medical or any other professional advice. No attorney-client relationship is created and you should not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice.
