The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been highlighting the threat posed by “ransomware”—when an organization is locked out of its own systems and files by cyber criminals who then demand the organization pay a ransom to regain access. OCR launched its Cyber-Awareness initiative on Feb. 2 by emailing entities in the health care community an alert about the dangers that ransomware presents to their operations. Within two weeks of the OCR alert, the world learned how real this problem is when a hospital made national headlines as the victim of a ransomware attack.

According to OCR and the FBI, ransomware has become a popular tool in the cybercrime world to extort money from companies by locking them out of their own computer resources. Losing access to important files for even a short period of time can have crippling consequences for any entity victimized by a ransomware attack and may endanger patients and plan participants. Because of the dire potential impact, many ransomware victims face the difficult dilemma of whether to pay the cyber criminals to get operations back online and provide necessary services to their patients and members. Consequently, covered entities and business associates should work with knowledgeable experts to identify how a successful attack might affect their operations and implement measures to mitigate the ransomware risk.

What is “Ransomware”?

Quite simply, ransomware is a type of malware used by cyber criminals to take over and cripple an entity’s computer network and resources by encrypting and preventing authorized users from accessing information on an affected network. It is typically delivered via email, and involves a combination of social engineering and technical subterfuge. The email message appears to be intended for the recipient, and typically includes an attachment. When the recipient opens the email message and the attachment, the ransomware is executed on the computer system and infects all digital devices that are actively linked to the infected device. Cyber criminals then send a message to the victim’s infected device and demand a ransom payment in exchange for a decryption key to unlock the data. Ransoms demanded by hackers typically range from a few-thousand to tens of thousands of dollars.

How Can Ransomware Affect Covered Entities and Business Associates?

Recently, a hospital that became the victim of a ransomware attack lost access to its clinical and billing systems and suffered other disruptions in its services, such as having to divert emergency patients to other hospitals. Although the hospital contained the threat and declared that no evidence suggests that patient or employee information was accessed, the provider did pay a ransom in the interest of restoring its operations as quickly as possible.

A ransomware attack may have consequences for a covered entity or business associate beyond the disruption of its services. OCR expects covered entities and business associates under HIPAA to be resilient against ransomware attacks by maintaining sufficient backups and contingency planning under the HIPAA Security Rule. An affected covered entity or business associate could therefore be the subject of an OCR investigation, and potentially an enforcement action, following a ransomware attack.

Steps to Take: Mitigating the Ransomware Risk

No cybersecurity measures are able to completely eliminate the risks that ransomware pose, but covered entities and business associates can take a number of steps to protect the electronic protected health information (ePHI) and other critical data under their control, mitigate the likelihood of a successful attack, and lessen the chance that they will become victims of cyber extortion and the focus of an OCR investigation:

• Ransomware and other malware attacks should be part of your risk analysis. Ransomware is a growing concern and many organizations have been successfully attacked. Therefore, covered entities and business associates should consider including ransomware and malware attacks in the risk analysis required by the Security Rule and implement appropriate safeguards to bring the risk of these attacks to a reasonable level.
• Provide employee training on information security awareness. Employee training on information security awareness, and specifically social engineering, should be part of every organization’s information security program. This training may include the identification of social engineering attacks and their potential impact on an organization’s information system. This training should empower employees to recognize phishing attacks, and to immediately report such attacks to information security personnel within the organization.
• Procure cyber insurance with cyber extortion coverage. Cyber insurance has become an important tool for companies in all sectors to mitigate the economic risks of a data breach or other cyber event.  Insurers also are recognizing that ransomware poses significant business operations concerns for companies and are increasingly offering “cyber extortion” coverage in their cyber insurance products. Cyber extortion coverage will compensate a business for the costs of a ransomware payment made under duress to cyber criminals, in order to get the business’ operations running again as soon as possible.
  
  Since not all cyber insurance products contain this important coverage, please speak with legal counsel or insurance brokers familiar with cyber insurance to find the product that is right for your business and that permits you to work with the legal counsel and forensic experts of your choosing.
• Ensure that ePHI is routinely backed up. A ransomware attack could disrupt access to patient medical and member insurance records for days. Covered entities and business associates can mitigate the effect of a ransomware attack by routinely backing up all ePHI within their control. Backup files should be segregated from a covered entity or business associate’s main files to prevent a successful ransomware attack from compromising these files as well, and the organization should consider conducting regular tests to ensure the integrity and functionality of backup systems.
• Consider performing breach response table-top exercises, with ransomware as a potential scenario. When it comes to cybersecurity, covered entities and business associates should hope for the best but plan for the worst. As part of that planning, entity personnel should walk through a simulated ransomware event to identify how their organizations may be affected, how to develop and implement an effective disaster response and recovery plan, and how to mitigate the effects of a successful attack.
  
  Davis Wright Tremaine’s Privacy and Security practice has experience with assisting clients in performing table-top exercises.
• Test your monitoring and response processes. It is critical that covered entities and business associates identify and block malware and other attacks as soon as possible. There are a number of end point monitoring products that can immediately detect ransomware attacks. Organizations should work with their information security personnel to identify end point monitoring products appropriate for the organization.
• Test your disaster recovery processes. Knowing how your organization will respond after a successful attack is an important component in ensuring that your organization will be able to recover quickly from any cyber event that threatens your operations. Developing and regularly testing your organization’s disaster recovery plan may lessen the amount of time that your business operations are disrupted and moderate the impact to your patients and clients.