Don’t be taken hostage

Ransomware is a new threat facing computer systems worldwide. Boards of health care organizations need to understand its risks and make sure they are taking steps to mitigate or eliminate vulnerabilities that lead to ransomware attacks.

A master of disguise, ransomware has taken many forms: Cryptowall, SamSam, Jigsaw, Petya, Locky. On May 12, the WannaCry ransomware attack affected 16 hospitals in England’s National Health Service, according to various reports. In addition to computers, the cryptoworm also carried the potential to affect web-connected medical equipment and other devices comprising the “internet of things.”

Ransomware defined

So, what is ransomware? At a basic level, it is malicious code that, once activated, spreads throughout a network, encrypting data stored within the systems it has infected. As a result of this encryption, systems and data are inaccessible. And once a virus infects one system, it has the potential to spread quickly to all connected systems and devices.

Trustee talking points

  • Hospitals and health systems have become increasingly popular targets for ransomware.
  • Prevention — eliminating vulnerabilities — is the best method of defense against cyberthreats.
  • Because prevention isn't foolproof, health care organizations also need to have plans in place to respond to a ransomware attack when it happens.
  • Trustees have a key role to play in making sure a hospital meets its legal and financial obligations before and after an attack.

The user is told it must pay a ransom, typically in Bitcoin (the unmarked bill of the 21st century) before the hacker will restore access. The ransomware threatens to delete all the files, publish the data or otherwise misuse the data if the ransom is not paid within a specified time frame. If the ransom is paid, the hackers send the user a decryption code to restore the files.

Recently, the NotPetya ransomware attacked computers across the globe through networks of corporations with offices in or near Ukraine. Unique to NotPetya was the fact that its mechanism for receipt of the ransom turned out to be nonfunctional, which prevented victims from paying the ransom, rendering data lost and hard drives irreparably damaged.

Once the data are decrypted, the organization must still conduct a thorough investigation to determine whether the data was copied or otherwise disseminated outside of the system. Even those who pay the ransom, however, are not assured the data will be restored, as many times the perpetrators simply walk away, leaving the data unusable. Because ransomware does not require the hackers to actually “kidnap” the data and remove it from the systems, there is little evidence that can be used to identify the perpetrators, whether the ransom is paid or not.

Unfortunately, virtually every area of a network is vulnerable to attack, and hackers are increasingly creative in identifying and exploiting areas of weakness. Software vendors are actively battling these threats and can, in certain circumstances, provide a “patch.” End users must be vigilant in applying patches and working with their third-party vendors to ensure they are equally vigilant.

Hospital focus

Thanks to their treasure troves of sensitive personal information, health care providers have become increasingly attractive targets for ransomware attacks. A common vulnerability for hospitals is older, heavily interfaced systems with multiple users and points of entry, which are slow to implement updates and patches, typically for interoperability reasons.

While the dollar amount of the ransom request may not be significant, the resultant damage of rendering entire systems inoperable can carry a huge price tag. The cost of investigation, mitigation and response efforts can quickly escalate. Qualified information technology specialists are needed to assess the situation, test decryption keys that might circumvent the ransomware code and conduct other forensic analyses.

The hospital’s counsel should also be consulted promptly (in many cases at the behest of the cyber-risk insurance broker) to determine any legal liability and obligations, such as notification requirements under state and federal privacy laws. Intangible costs include harm to the institution's reputation, given the widespread media and news coverage of cyberattacks, as well as data loss. Having in place appropriate and thoughtful preventive and reactive measures helps organizations mitigate, if not eliminate, the risk of significant tangible and intangible damage as a result of a ransomware attack.

Preventive measures

The preferred method of defending against ransomware involves understanding that the risk is real and implementing measures that can mitigate or eliminate the vulnerabilities that lead to cyberattacks. These tools and tricks of the trade include:

Calling for backup: All data should be backed up on a regular basis, and backups should be maintained offline. For organizations subject to the Health Insurance Portability and Accountability Act, these measures are consistent with obligations under the Security Rule to maintain data backups, and implement contingency and disaster recovery plans.

Knowing your associates: Most organizations rely upon third-party vendors for aspects of information security networks. Where appropriate based on scope of access, vendors should be periodically audited or asked to provide evidence of risk assessments and to confirm adequate data backup and contingency plans. The hospital’s counsel should be engaged to ensure appropriate protections are sought in all vendor contracts.

Testing your own systems: Regular and frequent employee education can mitigate user risk and keep staff apprised of recent hacking attempts. Further, “test” emails to all employees at all levels, in all departments, provide for controlled applications of training and education received in a nonpublic forum, allowing the organization to tweak and adjust training as appropriate. In addition, tabletop exercises and mock breach exercises conducted by the hospital’s counsel can help identify vulnerabilities in the organization’s policies and procedures. This is particularly relevant where single individuals are responsible for multiple affiliated entities, as is often the case in complex hospital systems.

Arming yourself: In many cases, the human element is the weakest link, allowing hackers to gain entry via fraudulent emails, commonly referred to as “phishing” schemes. These emails typically spoof, or appear to be sent from, a recognized user, and they ask the recipient to open an attachment or click a link that has been infected with a virus. Employee education likely will not go far enough to prevent such inadvertent vulnerabilities, so keeping security patches and firewalls current can serve to prevent some corrupt emails from reaching employees in the first place.

Maintaining an insurance policy: Insurance coverage for security incidents and data breaches is increasingly found in a separate policy, whereas “errors and omissions” policies historically may have picked up such claims. Boards must assess not only what is covered and where, but also, more significantly, what is not covered. For example, are breaches covered if they're caused by the hospital’s vendors? What about breaches when the hospital may be providing services to a third party, and the third party, as the owner of the data, incurs the cost of the breach, including notifying affected individuals? Understanding the gaps in a policy is as important as purchasing it in the first place. Further, be familiar with the carrier’s process for tendering a claim to avoid unnecessary delays when the clock is ticking on an important deadline.

Reactive measures

Data security is not achieved overnight and is always evolving, as attackers are constantly improving their approach. Thus, organizations must have comprehensive and efficient reactive strategies in place to respond to an attack and mitigate the risks where preventive measures fall short. These strategies include:

Leading with your A-team: Have in place a robust, compliant incident response plan. The plan typically calls for a team of individuals with unique skills to approach the incident from multiple angles. The key to an effective incident response plan is ensuring that each team member knows his or her role and is able to execute it quickly and properly. The steps the hospital takes during the first few minutes, hours or days can have a significant impact on the outcomes of communications with government agencies and affected individuals.

Watching your back: Identify (or charge counsel with identifying) relevant third-party relationships implicated by the incident. Forensic analysis may ultimately determine that the source of the vulnerability exploited by the ransomware was the responsibility of a vendor. Contractual agreements with vendors may have a significant effect on mitigation and remediation efforts. For example, contracts with limitations on claims (as is common in technology vendor templates) may require tolling agreements be put in place while the parties triage the incident before determining the actual scope of liability allocable to one another.

Board considerations

As fiduciaries, members of the governing body of a hospital system are responsible for ensuring the organization is meeting its legal obligations and adequately protecting its financial assets. Although board members may not be information specialists or even part of the incident response team, there are steps the governing body can take, and perspectives that can be adopted by the board, to better serve the organization in meeting its legal obligations under federal and state data privacy laws. These steps mitigate the organization’s exposure to significant financial loss as result of such incidents. Such preventive and proactive action items may include:

Making sure hospital departments never “pass the buck” on data security to one another. Data security requires the collaborative efforts of the organization as a whole, starting at the top.

Investing in and prioritizing infrastructure and data systems management tools in the same manner as capital and physical infrastructure investments.

Purchasing cyber insurance with appropriate coverage to address the organization’s particular risks. Such insurance can serve to mitigate exposure in the event of an incident.

Periodically engaging third parties to conduct risk assessments, akin to periodic independent audits of the books and records. Third-party consultants with familiarity with what others in the industry are doing can reveal strengths and weaknesses of current practices.

A ransomware attack is a matter of “when,” not “if,” but assuming it will happen and being prepared can be the best preventive medicine. Preparation and prevention are not insurmountable tasks. Most important is an informed, engaged and empowered governing body to set the tone for rational decision-making and planning for those executives and administrators tasked with carrying out the plan when the untraceable villain comes looking for a ransom.

Jeffrey C. Davis (jdavis@vedderprice.com) and Ethan E. Rii (erii@vedderprice.com) are shareholders at Vedder Price in Chicago. Caitlin C. Podbielski (cpodbielski@vedderprice.com) is an attorney at Vedder Price.


Trustee takeaways

A good ransomware incident-response plan must include:

An A-team of technical experts and operations managers to attend to the incident immediately by:

  • Implementing backups to keep operations running smoothly.
  • Performing analyses to identify the underlying cause(s) or source of the attack.

Appropriate protocol to engage the hospital’s counsel and advisers for:

  • Coordinating the team with the overarching goal of mitigating the impact of the incident.
  • Addressing and instructing appropriate personnel on notifying the insurance carrier.
  • Protecting the assertion of attorney-client privilege of communications pertaining to the incident and the hospital’s response.