Ransomware is so rampant that more than 4,000 attacks have been launched every day since 2016<sup>1</sup>including some 65,000 attacks in 2020 alone (2) such that 68 percent of organizations in the U.S. were attacked and ultimately paid the ransom last year. (3)
The security threat has once again been elevated to the White House, which issued an open letter in September cautioning that U.S businesses need to deploy tactics to “disrupt and deter” ransomware attacks similar to what the federal government is undertaking (4) in response to successful security incidents bringing down the IT networks of Colonial Pipeline and the meat packing giant JBS USA Holdings during the summer.
Last week, the Biden Administration held a closed-door Counter-Ransomware Initiative meeting (5) during which 32 countries, notably excluding Russia, began steps to identify ways to thwart ransomware attacks (6). “From malign operations against local health providers that endanger patient care, to those directed at businesses that limit their ability to provide fuel, groceries, or other goods to the public, ransomware poses a significant risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity,” the ministers and representatives of the Counter-Ransomware Initiative noted in a joint statement. (7)
While that particular initiative spans many industries, health care consistently ranks among the most-targeted sectors when it comes to ransomware attacks, following only the public sector and professional services in a current report. (8)
Critical future considerations for ransomware
Many CEOs, in health care and other sectors, have or will earn their ransomware education in a difficult manner: Sitting in a conference room alongside attorneys and law enforcement, likely the FBI, negotiating with the criminals demanding payment to return access to locked data and literally learning how to lead the organization through the crisis in real-time.
While the critical decisions at that point have historically been whether or not to pay and when to issue breach notifications, neither matter is simple — even for organizations with off-site backup datacenters that enable business continuity while on-premise data is encrypted — and four considerations could complicate matters even further:
- Hybrid workforces have been less secure and introduced new vulnerabilities
- COVID-19 made contracting with third-parties harder but even more necessary
- Lawmakers are looking to make disclosure rules more aggressive
- Post-attack lawsuits appear poised to become commonplace
Hybrid workforces have been less secure and introduced new vulnerabilities
As the pandemic catalyzed remote and hybrid work, the new conditions also increased the number of endpoints and because organizations virtualized parts of the workforce essentially overnight many achieved that feat without time to prepare security controls accordingly.
Many organizations’ security protocols, in fact, have become more lenient in hybrid environments than they are in physical facilities. More than half (61 percent) struggled to establish secure remote work capabilities (9), a reality made worse because 35 percent believe that employees circumvented or even disabled security measures (10). As a result, 53 percent of organizations that prioritized remote access over security now have risks from doing so that include the unsanctioned use of applications and unchecked policy violations. (11)
Security professionals said the top concerns of new hybrid workforces include the security of home internet connections, leaked sensitive company information and cyberattacks, including ransomware. (12) As many as 99 percent of 1,500 security professionals across various industries indicated that they do not believe all of their end points are protected (13), which poses considerable risk.
Other common security concerns include poor data protection methods, lack of privacy in the home, phishing attacks, poor password management and compliance violations. (14)
And since the health care industry and the public sector are already under resourced security-wise and tend to be among the slowest to resolve security incidents, (15) it is not surprising that only 5 percent of security professionals claimed to have “no security concerns” about a hybrid workforce. (16)
COVID-19 made contracting with third-parties harder but even more necessary
In response to risk factors catalyzed by the pandemic, notably remote work, systems to support virtual work and care delivery, as well as staffing challenges, health care organizations are planning to contract with more third parties in the next 12 months with the average number of such arrangements rising from 1,950 presently to an average of 2,541 per organization. (17)
“Third-party products and services are a necessary and critical part of the IT blueprint, but each brings another set of risk factors to the table. Some risks are inherent to the third party such as secure operating systems and other software in medical devices. Other risks involve storing protected health information (PHI) on cloud-based systems that weren’t meant to support it. In either case, the risk created by the third party needs to be managed,” according to the Ponemon Institute report The impact of ransomware on health care during COVID-19 and beyond, sponsored by Censinet. “The burden is on the health care organization to perform assessments throughout their relationship with the third party.”
Yet Ponemon found that only 40 percent of participants “always complete a risk assessment” with third parties prior to contracting and only 15 percent conduct annual reassessments of third-party products and services. (18) Ponemon also cautioned that certifications and frameworks such as HITRUST or SOC do not necessarily replace the need for regular reassessments.
Further, when assessments uncovered gaps in a third-party’s practices or policies, only 44 percent took that risk seriously enough to switch to another third-party, while 51 percent required the contractor to remediate the gap and 50 percent assisted in such remediation of third-party privacy and security protocols. (19)
The growth of engaging third-parties in accordance with the pandemic-driven need to manage information security and protect against attacks such as ransomware requires more vigilance among executives when managing those partnerships.
Lawmakers are looking to make disclosure rules more aggressive
The argument in favor of not alerting authorities, patients or members after an attack rather than immediately disclosing it or issuing a breach notification has been that executives need time to investigate, particularly when the FBI is involved, to monitor servers and systems that are impacted, identify and ideally apprehend malicious actors, evaluate what assets they leveraged to perpetrate the attack and then determine the most appropriate messaging to the public. But as more states institute breach notification rules (20) and organizations make that information public, (21) the old adage that ransomware does not necessarily lead to a breach is vanishing.
Earlier this month, in fact, Senators Elizabeth Warren (D-MA) and Rep. Deborah Ross (D-NC) introduced the bicameral Ransom Disclosure Act (22). The proposed legislation would require organizations that pay a ransom to notify the Department of Homeland Security within 48 hours of doing so and provide key pieces of information relative to the incident, including: the date the ransom was demanded and when it was paid, the amount demanded and paid, the currency including cryptocurrency used to make the payment, whether the covered entity receives federal funds and any other relevant information about the identity of the actor demanding ransom.
The proposed legislation has both been criticized for turning targets into victims by forcing organizations to disclose the attack and not protecting related details from Freedom of Information Act requests (23) and it has been lauded as a step toward easing the stigma associated with being a victim of just such an attack. (24)
That bill’s fate remains to be seen but other regulatory changes are being enacted to alter breach disclosure. The Federal Trade Commission in September, for example, clarified a 2009 Health Breach Notification policy statement and warned that makers of apps and devices which collect personal health information are obligated to notify consumers in the event their data is breached or intentionally shared without prior consent. (25)
Also in September, the U.S. Treasury Department’s Office of Foreign Assets Control updated its guidance with information about potential sanctions for making and facilitating ransomware payments, including an explanation that it added the SUEX cryptocurrency exchange to its Specially Designated Nationals and Blocked Persons List for facilitating ransom payments to criminals. (26) OFAC also reiterated the U.S. government’s stance on strongly discouraging ransom payments and explained that disclosing the attack and cooperating with law enforcement would be considered mitigating factors.
Post-attack lawsuits appear poised to become commonplace
After Scripps Health high-profile data breach, the health system is facing multiple class-action lawsuits alleging that it failed to adequately protect patient data and potentially exposed those individuals to identity theft or medical fraud. (27)
Scripps Health is just one example. Springhill Medical Center is another. A new lawsuit alleges what could be the first death attributable to a ransomware attack because the provider did not pay the ransom, which the suit says led to a preventable death. (28) The case has subsequently resulted in a negligent homicide investigation. (29)
In another example, a class-action lawsuit was filed against Northwestern Medical for not guarding sensitive data from a breach (30) that involved Elekta, the radiation equipment vendor at the center of a separate lawsuit against it for an April data breach. (31)
Those are just a few of the expanding number of instances in which patients are suing hospitals, and health systems are suing technology vendors, that portend a future in which ransomware and other cyberattacks become part of medical malpractice lawsuits. (32)
While HIPAA’s Breach Notification rules require covered entities to notify consumers and the U.S. Department of Health and Human Services when unauthorized access to protected health information occurs, (33) even though HIPAA is viewed as the strictest of federal data protection laws, (34) the rule constitutes minimum requirements and HHS recommends covered entities implement more stringent information security protocols.(35)
What’s more, the post-attack great unknown is whether sensitive data was simply encrypted until the ransom was paid and the keys returned to unlock it and the criminals moved onto the next victim or they exfiltrated the data in what is becoming an increasingly common tactic (36) and the crux of the problem could re-emerge again in the future to create new and previously unforeseen complications.
Conclusion
That the threat vector continues to expand as attackers become increasingly sophisticated (37) is well understood and not likely to change anytime in the near future. The business model, after all, functions reasonably well for cyber criminals; that’s why malicious actors deliver the tools to unlock data 98 percent of the time (38) and victims regain access to 97 percent of their data (39).
Despite early promises by cybercriminals not to attack health care entities during the pandemic (40), only 47 percent have actively blacklisted the sector (41) and HHS in mid-September issued a warning about BlackMatter, (42) one such group that claims not to target health care.
In addition to baseline information security protocols that should already be established, CEOs, C-suite executives and privacy and security leaders need to be steadfast in more effectively and routinely securing virtual workers, managing third parties that have access to health data, monitoring and preparing for regulatory changes that can impact disclosure protocols and understanding the potential for law suits to emerge after attacks.