Ransomware In the Healthcare Industry

The Basics of Ransomware

The History of Ransomware

The early ransomware variants would infect a computer, encrypt certain files in the computer so that the user could not open them without a decryption key, and then demand a ransom payment in exchange for the decryption key in order to access those files.⁶ The modern-day variants of ransomware are capable of locking an infected computer’s screen, rendering the computer useless to the user.⁷ The virus then displays a message demanding payment in exchange for regained access to the computer.⁸ This modern form of ransomware is believed to have originated near Russia.⁹

Instead of demanding a ransom payment and disclosing the criminal nature of the screen lock, some early forms of ransomware would display a message on the infected computer purporting to be from an authentic source, such as Microsoft, and claiming that to activate the computer, the user must send a text message to a phone number that would charge the user a premium charge for the text.¹⁰ The user would be sending what he or she thought was a simple activation text to Microsoft, but in reality the computer had been infected with ransomware and the premium charge from the text message was being collected by the ransomware hacker.¹¹

Another early form of the virus did not attempt to conceal the criminal nature of the ransom: instead of posing as a representative of Microsoft, the hacker would simply display a pornographic image on the user’s screen and lock the screen with the image on display.¹² The hacker would then send a message demanding payment through a similar premium charge phone call or text message as used in the Microsoft variant in exchange for removal of the image and regained computer function.¹³ This version of ransomware was successful because it shamed the computer’s user into paying the ransom. This version lasted for quite some time.¹⁴

Starting around 2011, a new ransomware variant was introduced.¹⁵ This virus was similar to its predecessor in that it still locked the user’s computer screen or locked the user out of specific computer files.¹⁶ The major difference was in the content of the ransom message displayed on the computer user’s screen.¹⁷ The new variant displayed messages claiming to be from a government agency, such as the Federal Bureau of Investigation (FBI), or a local law enforcement agency.¹⁸ The fake message would inform the user that the computer had been locked because the user had committed a crime and the only way to regain access would be to pay a fine for the crime.¹⁹ Interestingly, some forms of the virus used accessible location services to determine where the infected computer is located geographically.²⁰ Determining where the computer is located allows the hacker to custom-design the ransom message to appear more legitimate, e.g., by ensuring that the message is written in the predominant language used in the area where the computer is located and by displaying law enforcement images portraying the agencies existing in that location.²¹ This new ransomware also abandoned the premium charge text and phone method of collecting its ransoms.²²

Modern ransomware hackers now take advantage of online pre-payment methods and virtual currencies, which act similarly to online prepaid functions.²³ The computer user loads funds into an online account (to which the hacker has access), using his or her own credit card.²⁴ The hacker then retrieves the funds and decides whether to unlock the victim’s computer or dishonor the agreement.²⁵

How Does Ransomware Infect Computers?

To succeed in their goal of extorting a ransom from their victims, hackers must first infect computers with the ransomware virus.²⁶ Hackers use several different techniques to infect computers with the ransomware virus.²⁷ One of the more common methods is referred to as a drive-by download.²⁸ A drive-by download occurs when the hacker has already succeeded in hacking into a website.²⁹ The hacker then inserts hidden malware onto the website.³⁰ An unsuspecting person visiting the website will automatically be redirected to a second website operated by the hacker, which installs the ransomware onto the person’s computer.³¹ To allow a website to be hacked into in the first place, the website must have some vulnerability that the hacker can exploit.³²

To avoid the hurdle of exploiting an already existing weakness in a website, some hackers legitimately buy advertising space on websites.³³ The advertisement may purport to be promoting anything, but once the user clicks on the advertisement, the user is directed to the hacker’s website containing the ransomware virus.³⁴

A different tactic used by hackers is referred to as spear phishing.³⁵ Spear phishing is a hacking technique where the hacker sends a false e-mail to a computer user, often an employee of a company.³⁶ The e-mail may claim to be from the employee’s coworker or supervisor and may instruct the employee to follow a series of tasks, which would actually result in the employee infecting the system with a virus, such as ransomware.³⁷

Other means of infecting computers with a ransomware virus include piggybacking the virus onto a different form of malware already infecting a computer, or by sending out e-mails containing spam along with the virus.³⁸ Ransomware will often be paired with another form of malware designed specifically to steal data and other information located on the infected computer.³⁹ Thus, while the ransomware virus locks the computer and demands ransom from the victim, the additional malware is stealing data from the infected computer.⁴⁰ Although the version of ransomware that requires a computer user to click on a certain advertisement or e-mail is still commonly used, newer versions of the virus are being developed that rely on vulnerabilities in an organization’s web server.⁴¹

The ransomware virus known as “WannaCry” was unleashed in May 2017.⁴² The virus infected more than 200,000 computers across 150 countries.⁴³ The virus was capable of displaying at least 27 different languages based on the infected computer’s location.⁴⁴ In the United Kingdom, the WannaCry virus forced the National Health Service’s systems to shut down.⁴⁵ The virus sought ransom payments in the form of the virtual currency Bitcoin in exchange for regained access to encrypted files.⁴⁶ Some reports have suggested the WannaCry virus likely infected systems through a vulnerability in Windows operating systems.⁴⁷ The WannaCry incident brought the ransomware crisis to the forefront of consumer attention and has resulted in ransomware becoming a well-known threat even outside of health and IT security circles.

In 2016 and 2017, there were attacks across Europe involving the “Petya” ransomware variant. In 2017, there were attacks worldwide involving the “NotPetya” ransomware variant. In 2017, the “BadRabbit” ransomware variant infected systems throughout Russia and Ukraine. Throughout 2016, the “Locky” and “Samsam” ransomware variants launched worldwide.⁴⁸ Most of these attacks were launched indiscriminately against individuals and corporations across a wide range of industries, including the healthcare industry.

If an organization’s web server is unprotected or unpatched, hackers are able to exploit this weakness and infiltrate the organization’s online network.⁴⁹ Once inside the network, the virus is able to move from the initial hacked computer to other computers using the same network, collect log-in data and credentials from employee staff, steal private stored data, and infect multiple systems with the ransomware virus.⁵⁰

Ransomware as a Lucrative Crime

The earning prospects for cybercriminals using a ransomware virus vary by country and by virus.⁵¹ In one study, a variant of the virus was discovered to have infected approximately 5,700 computers in one day.⁵² Of this number, 168 users appear to have tried to free their computers by entering a PIN number, which is given to the user by the hacker after the user pays the demanded ransom payment.⁵³ The study demonstrated that the number of users who likely paid the ransom was approximately 2.9 percent of those infected, and the average amount demanded was $200. By this calculation, the hackers extorted $33,600 in ransom payments in a single month using this variant of the ransomware virus.⁵⁴ Extrapolating this finding to an entire year, the researchers concluded that an estimated $394,400 could be transferred in ransom in a year with this virus if only 2.9 percent of the yearly targets pay the ransom.⁵⁵

In 2016, on average, more than 4,000 cyber attacks using the ransomware virus had occurred every day.⁵⁶ The statistics regarding ransomware attacks and ransom payments may represent only a fraction of the total sums extorted from organizations because many organizations do not report being attacked by ransomware hackers, nor do they report paying the hacker a ransom.⁵⁷

The Threat of Ransomware in the Healthcare Setting

Healthcare organizations are appealing targets to hackers.⁵⁸ In recent years, healthcare organizations have been targeted by cybercriminals more than most other industries;⁵⁹ in fact, the healthcare industry has been ranked fifth highest in attacks by ransomware among all industries.⁶⁰ In one study regarding information technology security in healthcare organizations, researchers found that the healthcare sector suffered from several vulnerabilities in healthcare IT security from lack of awareness, patching issues, and employee error.⁶¹ Some research suggests that, on average, healthcare organizations experience a cyber attack almost every single month.⁶² The same research also suggests that nearly half of the healthcare organizations involved in the study had experienced a cyber attack within the past 12 months in which private patient information was at risk.⁶³

The ransomware virus has been very effective at infecting healthcare organizations.⁶⁴ Between 2005 and 2014, $57.6 million in ransom payments were made by healthcare organizations to ransomware hackers.⁶⁵ During these years, ransom payments to hackers ranged from $200 to $10,000.⁶⁶ In 2015, approximately $24 million in ransom payments were made by healthcare organizations to ransomware hackers.⁶⁷ In 2017, one study of data breaches in the healthcare sector concluded that one out of four consumers of healthcare services had become victims of healthcare data theft.⁶⁸ Half of these breaches resulted in identity theft.⁶⁹ Of the consumers surveyed, the majority had their healthcare data hacked from hospitals, urgent care clinics, or pharmacies.⁷⁰ Half of these consumers who were the victims of data breaches discovered the data breach on their own, rather than being notified by the healthcare facility holding their healthcare information.⁷¹ Furthermore, the costs of a data breach are highest when the breach targets the healthcare industry, compared to other industries, and the costs of data breaches have increased in the past few years.⁷²

On February 12, 2015, Hollywood Presbyterian Medical Center in Hollywood, California, fell prey to a ransomware attack.⁷³ A doctor at the medical center claimed that the medical center’s system “was being held for ransom.”⁷⁴ Reports indicated that the medical center had lost control of its electronic health record system for more than a week and that the hackers responsible demanded more than $3 million in order to bring the medical center’s system back online.⁷⁵ The CEO for the medical center later revealed that it had paid approximately $17,000 to the hackers and the hackers had honored their word and restored the medical center’s access to its system.⁷⁶

A March 28, 2015, incident revealed that integrated systems storing health data were also at risk when a Maryland-based integrated healthcare system was targeted by a ransomware virus.⁷⁷ The system held the healthcare information of 10 hospitals, and it took several weeks to restore the information systems, during which time the hospitals attempted to function and care for patients as well as possible.⁷⁸ A single attack on a Maryland-based hospital led to an $18,500 ransom payment.⁷⁹

In 2018, ransomware attacks launched against healthcare organizations continued. In February, a multi-location orthopedic specialty organization in California underwent a ransomware attack that put the private health information of 85,000 patients at risk.⁸⁰ In May, a medical practice in Missouri fell victim to a ransomware attack, resulting in the breach of more than 45,000 patient records.⁸¹ In June, a fetal diagnostic lab was infected with a ransomware virus breaching approximately 40,800 patient records.⁸² In July, a hospital center in Missouri was targeted with ransomware and could not access its patient health records because of the virus.⁸³

In July, a health management organization in New Hampshire was the victim of a ransomware attack. The organization paid the ransom and recovered its data, but the private health information of the organization’s patients may still have been available to the ransomware hackers.⁸⁴ In August, an Iowa-based eye care center was infected by a ransomware virus, exposing the private health information of more than 40,000 patients.⁸⁵

Healthcare organizations are an appealing target for data hackers.⁸⁶ Patients’ electronic health records are worth far more than a victim’s credit or debit card number.⁸⁷ In fact, electronic health records may be worth 10 times more to data hackers than a credit or debit card number.⁸⁸ In recent years, the volume of U.S.-based ransomware attacks focusing on the healthcare industry has increased.⁸⁹ Healthcare organizations may be appealing to hackers because every minute could literally be a matter of life and death, and every minute the organization does not have full access to its electronic healthcare information, each patient is at risk, increasing the pressure on healthcare organizations to recover access to their systems by paying the ransomware hackers.⁹⁰

Healthcare organizations are using and creating more electronic healthcare data than ever before.⁹¹ Electronic healthcare data allows healthcare providers different advantages in providing patients with quality care; however, with more data being stored in an online format, hackers have more targets and far more incentive to target the healthcare industry.⁹² Healthcare organizations are storing “valuable financial, insurance, and demographic data” that can be used, or sold to be used, to commit identity theft.⁹³

As an additional threat, hospital employees and medical staff are now using their personal or organization-provided mobile devices to access private patient health records stored on the organization’s servers.⁹⁴ Alerts are sent to the mobile devices of healthcare staff to keep them informed of patients’ vital statistics.⁹⁵ Medical imaging machines are connected to healthcare servers using the internet.⁹⁶ New technologies, such as smart glasses, are being developed that allow constant health monitoring of patients by healthcare professionals.⁹⁷ This constant stream of private health information is recorded and digitally sent to the healthcare organization’s servers, where it becomes accessible to the monitoring healthcare professional.⁹⁸ Older technology, such as copy and fax machines, are also connected to the organization’s servers.⁹⁹ Unfortunately, these technologies are very vulnerable to cyber attacks.¹⁰⁰ It seems that as the technology becomes more innovative, the efforts to secure and protect the information being transmitted by the technologies have not kept up.

The Existing Legal Framework for Ransomware Attacks

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) has become synonymous with private patient healthcare information.¹⁰¹ HIPAA is intertwined with the threat posed by ransomware because the virus may steal electronic private patient information from healthcare providers.¹⁰² A ransomware attack may rise to the level of a breach under HIPAA if the hacker actually obtains the protected patient information, which would be an unpermitted disclosure that “compromises the security or privacy of the protected [personal] health information.”¹⁰³

The HIPAA Privacy Rule

The HIPAA Privacy Rule creates national standards designed to protect private health information.¹⁰⁴ The Privacy Rule applies to a certain type of information, known as protected health information.¹⁰⁵ Protected health information, also referred to as individually identifiable health information, is information relating to “the individual’s past, present, or future physical or mental health or condition; the provision of healthcare to the individual; or the past, present, or future payment for the provision of healthcare to the individual,” that either identifies a specific person or that can reasonably identify that person.¹⁰⁶

Individually identifiable health information cannot be used by entities covered by HIPAA for any reason other than the treatment-related reasons allowed in the Privacy Rule, or if the individual whose information is at issue authorizes, in writing, the information to be used for specific purposes.¹⁰⁷ The information cannot be disclosed by covered entities unless it is disclosed to the individuals themselves, upon request, or to certain government agencies if there is an ongoing investigation.¹⁰⁸ Covered entities also may use or disclose this information for treatment, payment, and other healthcare operational activities.¹⁰⁹

The HIPAA Security Rule

The HIPAA Security Rule requires that entities covered by HIPAA implement measures that can lower an entity’s risk of a cyber attack.¹¹⁰ The Security Rule applies to a specific type of protected health information, referred to as “electronic protected health information.”¹¹¹ Electronic protected health information is protected health information transmitted by the organization using some electronic means.¹¹²

The Security Rule requires organizations to conduct regular risk analyses to detect potential vulnerabilities to the electronic protected health information being stored by the organization.¹¹³ The organization then must work to minimize these vulnerabilities.¹¹⁴ Organizations must have protocols in place to detect and prevent malicious software from infecting their computer systems.¹¹⁵ Users of healthcare organizations’ computer systems must be trained on how to protect their systems against malicious software and report any suspicions that malicious software has infected one of the organization’s systems.¹¹⁶

The Security Rule also requires healthcare organizations to use access controls, allowing only necessary users to have access to electronic protected health information.¹¹⁷ The Security Rule requires organizations to conduct risk analyses of all threats to any electronic protected health information generated by the organization or its affiliates to determine if any electronic protected health information is in jeopardy of theft, exposure, or loss.¹¹⁸ Covered entities must also demonstrate that their entire workforce is in compliance with the Security Rule.¹¹⁹

The HIPAA Breach Notification Rule

As an additional incentive to avoid putting electronic protected health information at risk, and to put those negatively affected on alert, HIPAA provides a number of rules requiring healthcare organizations to notify different parties in the case of a breach.¹²⁰ These provisions are in HIPAA’s Breach Notification Rule.¹²¹ The Breach Notification Rule applies to all protected health information, not only electronic protected health information.¹²²

Under title 45, § 164.402 of the Code of Federal Regulations, a breach is defined as: “[T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted, … which compromises the security or privacy of the protected health information.”¹²³ Any impermissible use of protected health information is presumptively a breach requiring notification, unless the covered entity is able to demonstrate that there is a low likelihood that the protected health information was actually compromised.¹²⁴ If a covered entity commits a breach that involves unsecured protected health information, the entity is required to make disclosures regarding the breach to the U.S. Department of Health and Human Services, any individuals who may be affected by the breach, and, depending on the circumstances, to the public through the media.¹²⁵

Data Breach Litigation

The healthcare industry has been the subject of more class action lawsuits regarding data breaches than any other industry in recent years.¹²⁶ To date, there is no commonly recognized theory of liability to hold healthcare organizations accountable for stolen or jeopardized personal healthcare information.

An often-used theory of liability has been the common law of negligence. The two varieties of negligence theory often used in this context are: (1) the healthcare organization owes a nondelegable duty to protect the health information it holds and any attack that jeopardizes this information constitutes a breach of that nondelegable duty; and (2) the healthcare organization provided negligent security increasing the risk of a cyber attack.¹²⁷

The first theory of liability is grounded in the same context as a premises liability case, in which a property owner owes a duty of care to those on its property. This theory is often hamstrung by the requirement in negligence cases requiring a foreseeable and actual harm.¹²⁸ Cases brought under this theory often do not succeed because it is difficult or impossible to determine what damage has been sustained by a healthcare consumer whose private health information has been jeopardized.

The second negligence theory is more akin to a negligent security theory, under which the healthcare organization is viewed as having a duty to provide adequate security in protecting private health information; thus, a hack that jeopardizes this information can be the basis of a negligence suit. This theory found traction in the 2015 “Ashley Madison” case.¹²⁹ Ashley Madison is the name of a company hosting a website for adults committing marital infidelity.¹³⁰ Hackers were able to breach the company’s servers and threatened to leak users’ information unless the site was shut down.¹³¹ Ashley Madison refused and the hackers released the private information of approximately 32 million users.¹³² Users whose information had been released sued Ashley Madison under several theories, including a negligence theory, pled as negligent data security.¹³³ The case survived several legal hurdles and resulted in a settlement between the affected consumers and Ashley Madison for $11.2 million.¹³⁴ Although this theory of negligence has been tested, it is still unclear if it will be accepted by most courts in the cyber breach context.

It is also worth noting that, though there is no federal legislative scheme for cyber liability in hacking cases, California has passed such a law, specifically in the private health information context, based on breach of privacy, called the Confidentiality of Medical Information Act.¹³⁵ Similarly, common law causes of action based on invasion of privacy may also present valid remedies to consumers whose health information has been put at risk by hackers.

Preventing and Managing a Ransomware Attack

Preventing a Ransomware Attack

Of course, never ending up in a situation where one has to negotiate with a ransomware hacker is the most effective means of protecting a healthcare organization’s information and resources.¹³⁶ The U.S. government has encouraged systems administrators and computer users to take certain preventive steps to lower the risk of a successful ransomware attack.¹³⁷

The Importance of Backing Up Data

Backing up all electronic data to a secured backup location can prevent a terrible situation from becoming a nightmare.¹³⁸ A healthcare organization with a secured, isolated backup at a remote location can restore its computer systems in approximately four hours.¹³⁹ These backups should be tested and assessed annually to ensure that they can protect against a ransomware threat.¹⁴⁰ Once a computer is infected with ransomware, the virus can move between computers using the same network, which is why it is imperative to store backup data outside of the original network to ensure that it would not be exposed to the virus.¹⁴¹ External backups can be stored in a cloud-based system or in physical form.¹⁴²

Controlling Access to Operating Systems

Perhaps not all healthcare organization staff members require access to the organization’s shared network to perform their tasks; therefore, access to the network can be limited based on priority.¹⁴³ Administrative access to shared networks should be granted only if necessary; limiting the use of access can reduce the window of opportunity that a ransomware hacker has to infiltrate the network.¹⁴⁴ Access controls can also be used to limit the files a user is able to access, thus controlling the potential danger zones a user can access.¹⁴⁵

Monitoring Inbound and Outbound E-Mails

Although newer versions of the ransomware virus no longer require an employee to open a dangerous e-mail, the older virus is still being used and other viruses are also dispatched in this manner.¹⁴⁶ Known as phishing e-mails, these e-mails only pose a threat if they are opened by an employee.¹⁴⁷ Although training and awareness programs can be effective at reducing the risk of an employee opening these false e-mails, some hackers are very skilled at making such e-mails appear authentic and important.¹⁴⁸ Along with a prevention training program, healthcare organizations should make efforts to ensure that these e-mails never reach their employees in the first place.¹⁴⁹ Spam filters can be enabled to detect these malicious e-mails, and authentication technologies are available to detect e-mails being sent from unknown locations.¹⁵⁰ System administrators should also monitor inbound and outbound e-mails for suspicious activity.¹⁵¹

The Risk of Human Error

Although not all versions of the ransomware virus depend on human action, many versions infect computers by deceiving computer users into clicking links or opening e-mails.¹⁵² One of the simplest preventive steps a healthcare organization can take to defend itself from ransomware attacks is to inform its personnel of the risk posed by ransomware; common methods by which the virus is used to infect computers; and actions to avoid while using a healthcare server, such as clicking on advertisements, browsing unnecessary websites, or opening e-mails that seem in any way suspicious.¹⁵³ A training and awareness program specific to the threat of ransomware, along with periodic reminders, can go a long way toward preventing an attack.¹⁵⁴

Cyber-Defensive Measures

As mentioned earlier, some variants of ransomware are able to breach an organization’s shared network due to vulnerabilities or unpatched areas in the system’s network.¹⁵⁵ The risk of this type of ransomware variant being successful can be mitigated by employing a patch management system to detect and prevent holes in the system’s network.¹⁵⁶ Other, more common methods of defending computer systems include setting up firewalls that block unknown IP addresses and ensuring that anti-virus and anti-malware settings are set to scan for threats.¹⁵⁷

How HIPAA Helps

If complied with, HIPAA’s numerous provisions can aid a healthcare organization in protecting itself from ransomware and all other cyber attacks.¹⁵⁸ HIPAA’s Security Rule requires organizations covered by the law to implement a risk assessment plan and actively minimize the cybersecurity risks identified in the plan.¹⁵⁹ The Security Rule also requires covered organizations to train personnel who have access to electronic protected health information and to designate a security official in charge of managing access to electronic protected health information.¹⁶⁰ Furthermore, the Security Rule requires covered organizations to impose access controls regarding which employees may access this information.¹⁶¹

HIPAA’s Breach Notification Rule imposes disclosure requirements on organizations that experience certain types of breaches pertaining to their stored protected health information.¹⁶² The Rule requires healthcare organizations to disclose breaches of certain magnitudes to the individuals affected, the press, or the government.¹⁶³ These requirements, plus the possibility of penalties as a result of the breach, encourage healthcare organizations to abide by HIPAA’s Privacy and Security Rule provisions, which can minimize the risk of a ransomware attack in the first place.¹⁶⁴ These disclosure requirements also help to inform individuals affected by a data breach, to enable them to take steps to protect themselves.¹⁶⁵

Managing a Ransomware Attack

If a computer or operating system is infected with the ransomware virus, the U.S. government suggests that the organization take certain steps to deal with the attack.¹⁶⁶ If the virus is detected early enough that it has only infected one or a small number of computers, those computers should be disconnected from the organization’s network to prevent the virus from spreading further.¹⁶⁷ If there are computers that have been infected, but not entirely disabled, these computers should also be disconnected from the network and shut down.¹⁶⁸ If the organization has a backup system, this should be monitored to ensure it has not been infected by the virus, and if the backup is connected to the same network as the original system, the backup should be disconnected from the network.¹⁶⁹ The U.S. government also recommends that organizations contact the FBI or the Secret Service if they fall victim to a ransomware attack.¹⁷⁰ The organization should then secure as much of its uninfected system as possible and change any passwords associated with the network, if possible.¹⁷¹

The U.S. government does not recommend paying ransoms to ransomware hackers.¹⁷² In fact, On October 1, 2020, in the face of rising ransomware attacks throughout the Covid-19 pandemic, the U.S. Department of the Treasury published its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.¹⁷³ The Advisory notes that institutions often involved in facilitating payments to ransomware hackers, including cyber insurers, digital forensics firms, and financial institutions are part of the ransomware problem in that they encourage hackers to continue deploying the virus and that these institutions may actually be in violation of the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions regulations. Specifically, OFAC designates malicious actors under its cyber sanctions program and prohibits U.S. organizations from providing material support to these malicious actors. Several active cybercriminal organizations as well as the developers of certain successful ransomware variants have been labeled as malicious actors by OFAC and thus financial payments to these actors are prohibited.

In the context of a ransomware attack, the victim of the attack, its insurer, a digital forensics organization hired to provide support, a financial institution, or any other entity (although not explicitly mentioned in the advisory, law firms that assist in these payments would also likely be subject to the same rules) involved in the attack response would be prohibited from making any form of payment to the hacker in exchange for the release and/or non-disclosure of the compromised data if the hacker has been designated a malicious actor under OFAC’s cyber sanctions program. The clear issue that arises here is that determining the identity of a ransomware hacker is often beyond the ability of non-government organizations, particularly when these organizations are primarily concerned with protecting their compromised data and mitigating the harm of an ongoing ransomware attack. In deciding whether to make a ransom payment, cyber response teams will now need to weigh the possibility of penalties if they cannot ascertain the identity of their attacker.

The Department of the Treasury Advisory provides guidance on the penalties that may be imposed on those who pay ransomware hackers as well. Importantly, the Advisory makes clear that entities may be held liable for payments to ransomware hackers even if they are unaware of a legal violation under a strict liability scheme. The Advisory also references a penalty schedule provided in 31 C.F.R. part 501, appx. A with the severity of the monetary penalty dependent on the amount paid to a ransomware hacker.¹⁷⁴

OFAC has discretion regarding whether, and to what extent, it will penalize entities making payments to ransomware hackers. The factors OFAC will weigh in determining the severity of a penalty for violating this prohibition are found in the Code of Federal Regulations and include: (1) whether the violation of OFAC’s regulation was willful or reckless; (2) whether the at-fault party was aware of its own conduct; (3) the harm to the goals of OFAC’s cyber sanctions program; (4) the characteristics specific to the at-fault party, including its size and commercial sophistication; (5) whether the party had a cyber compliance program in place; (6) the remedial actions taken by the party; and (7) the party’s cooperation with OFAC throughout the investigative process.

The U.S. government recommends that organizations infected with ransomware make contact with law enforcement.¹⁷⁵ Law enforcement agencies such as the Secret Service or the FBI may be able to tap into helpful resources to which the organization — acting alone — would not have access.¹⁷⁶ One such resource would be the international law enforcement community, which can aid in tracking down international hackers or foreign variants of the virus.¹⁷⁷ Although notifying law enforcement may seem futile or embarrassing in ransomware cases, law enforcement officials have been successful in several ransomware cases.¹⁷⁸

Despite these best practices, all organizations face a good possibility of being attacked successfully by a ransomware hacker.¹⁷⁹ Healthcare organizations, along with each and every one of their users, must be vigilant at all times to prevent these attacks; a ransomware hacker only has to be successful once.¹⁸⁰ This state of being constantly on the defense does not bode well for healthcare organizations: sooner or later, many organizations will find themselves negotiating with ransomware hackers.¹⁸¹

Negotiating with Ransomware Hackers

If ransomware hackers are able to infect a healthcare organization’s system with a virus, the organization is faced with two options: (1) pay the ransom or (2) do not pay the ransom.¹⁸² Paying the ransom is the only realistic hope of having the virus removed from the system.¹⁸³ However, paying the ransom with the hope that the virus will be lifted rests on a number of assumptions.¹⁸⁴ First, if getting rid of the virus depends on a decryption key to unlock the infected computer, the organization is assuming that if it pays, the hacker will actually give it the decryption key.¹⁸⁵ Second, the organization assumes that if it is given a decryption key, the key will actually work and remove the virus.¹⁸⁶ Third, the organization assumes that if the decryption key is provided and effectively removes the virus, the virus will be removed from all of its systems and not just some of its systems.¹⁸⁷ Fourth, the organization assumes that the ransomware hackers will not simply hack it again after seeing their efforts rewarded.¹⁸⁸ However, refusing to pay the ransom will result in practically zero chance of lifting the virus, a situation which, when dealing with healthcare organizations, can result in lost time, resources, and patient information, all of which can be especially critical in the healthcare context.¹⁸⁹ However, this may be an acceptable loss if the proper protocols have been adhered to.¹⁹⁰

The various interests of the opposing parties in the ransomware scenario must also be considered and each outcome predicted when deciding whether or not to pay ransom demands. As noted earlier, the successfully hacked healthcare organization may either pay the ransom or refuse to pay the ransom.¹⁹¹ The successful hacker may either release the hostage computer system, along with all of its data, or refuse to release the system, leaving it infected and unusable.¹⁹² The only win-win situation here occurs when the healthcare organization pays the ransom and the ransomware hacker releases the computer system.¹⁹³ The healthcare organization will regain its ability to function and provide healthcare services and the ransomware hacker will have realized its financial goal.¹⁹⁴

A second resolution situation arises when the healthcare organization decides to pay the ransom demand, but the ransomware hacker refuses to release the computer system from the virus despite the payment. This resolution happens rather often, unfortunately, because ransomware hackers are not the most honest of criminals, making payment of ransom demands a less-than-appealing option.¹⁹⁵ This is a lose-win situation for the healthcare organization and the hacker, respectively. The next outcome, in which the healthcare organization decides not to pay the ransom demand and the ransomware hacker chooses to release the hostage computer system, is a win-lose outcome favoring the healthcare organization. This outcome will almost never occur, because the ransomware hackers have already succeeded in attacking the organization’s computer system, and therefore are in a superior bargaining position, making them unlikely to act contrary to their own interests. The final outcome — in which the healthcare organization chooses not to pay the demanded ransom, and the hacker chooses not to release the hostage computer system—is a lose-lose scenario in which the organization will not recover its system, and the hacker will not realize its financial goal.

This outcome-based framework for analyzing ransomware negotiations has several drawbacks. Each option cannot be given equal weight, because the outcome in which the healthcare organization does not pay the ransom and the ransomware hacker releases the computer system will almost certainly not occur; the outcome in which the healthcare organization pays the ransom and the hacker does not release the parts of, or the entire computer system, is a possibility and has occurred in the past. The situation in which the healthcare organization pays the ransom and the hacker releases the computer system is actually not a win at all for the healthcare organization; in fact, it is a serious loss. The healthcare organization will have lost resources for the amount used to pay the hacker, the downtime suffered during the negotiation and — worst of all — will have lost any stolen protected patient information.¹⁹⁶

However, if the healthcare organization has adhered to the best practices for preventing a ransomware attack prior to being attacked, it will have backed up all of its electronic information onto a separate server, safe from the ransomware attack.¹⁹⁷ This action would mitigate the potential damage if the organization chooses not to pay the ransom and does not recover the system controlled by the hacker.¹⁹⁸ A system backup further allows the organization to recommence operation much faster than would be possible if the organization has to engage in negotiations with the hacker.¹⁹⁹ This scenario makes the lose-lose outcome more appealing, especially considering that at any point after a ransomware hacker takes control of a computer system, a hacker could steal protected patient data.²⁰⁰ Thus, under any of the four outcomes, protected patient data could be stolen, resulting in a significant loss for the healthcare organization and its patients.²⁰¹

Arguments in Favor of Paying Ransoms to Ransomware Hackers

The arguments in favor of paying ransoms to ransomware hackers include the possibility of recovering the hostage data and the notion that ransom negotiators should not limit their options by removing the possibility of paying a ransom. However, the digital nature of the hacker ransom demand transaction can allow hackers to back out on their side of the agreement with relative ease.²⁰² When both sides of a ransom negotiation are entirely digital, the possibility of recovering the hostage data decreases substantially.²⁰³

Arguments Opposed to Paying Ransoms to Ransomware Hackers

The arguments against paying ransoms to ransomware hackers include the idea that ransom payments will only further the ransomware hacking enterprise; that paying a ransom may expose the organization as vulnerable and willing to pay out, which encourages future ransomware attacks; and that ransomware hackers may simply accept the ransom payment and sell the ransomed data on the black market.²⁰⁴ These arguments are compelling in part because they have been proven accurate based on ransomware attacks on healthcare organizations in the past.²⁰⁵ However, imposing an outright ban on healthcare organizations paying ransom payments to ransomware hackers would unnecessarily deprive negotiators of a valuable option in the negotiation.²⁰⁶ Furthermore, there may be nothing to be gained by depriving healthcare organizations of the right to pay ransom to ransomware hackers, because, even if they are fully aware that healthcare organizations are banned from paying,²⁰⁷ the hackers still have an incentive to hack the organizations to steal their valuable, protected patient data. They may demand ransom payments anyway, hoping that the organizations will pay regardless of the ban, perhaps to make the problem go away quietly.²⁰⁸

Alternative Future Solutions to the Ransomware Problem

Although an outright ban on ransom payments to ransomware hackers may be too restrictive of negotiators’ options, other alternative solutions can be employed to help combat the issue using legal alternatives.²⁰⁹

Imposing a Tax on Ransomware Payments to Be Used for Anti-Hacking Efforts

An alternative method of reducing the incentives of cyber-ransom negotiators to pay a ransom, and of ransomware hackers to infect computers, is to impose a tax on cyber-ransom payments made, with the proceeds being used to combat the ransomware problem. In the ransomware context, a federal tax could be imposed on all ransom payments made to ransomware hackers and the proceeds could be used to fund federal efforts to prevent cyber attacks. Such a tax reduces the incentive of healthcare organizations to pay ransoms to ransomware hackers because doing so would result in them having to pay an additional sum on top of the ransom payment. The tax also reduces the incentive of ransomware hackers to demand ransom from these organizations, because doing so will indirectly fund government efforts aimed at preventing cyber attacks in the first place. The major shortfall of this alternative approach is that healthcare organizations may be even less likely to report ransomware incidents so as to avoid the imposition of the tax.

Prohibiting Insurance Coverage for Ransomware Attacks

Noting the rising threat of cyberhacking in today’s world, many different forms of cyber insurance are now available to organizations.²¹⁰ Although general liability insurers have refused to provide coverage for damage arising from cyber attacks, cyber insurance specifically seeks to cover insured entities for the cost of digital loss and repair following a cyber attack on the insured’s computer network.²¹¹ Healthcare organizations have an incentive to purchase cyber insurance, as coverage can aid an organization financially in recovering from a debilitating attack.²¹² Many organizations choose not to purchase cyber insurance because, among other reasons, the organization does not want to disclose that its system has been compromised following an attack. Doing so may expose the organization as vulnerable to future attacks.²¹³

Although some might argue that ransom-based insurance policies promote security because the occurrence of successful cyber attacks is nearly inevitable, others argue that this type of coverage only lulls covered organizations into a false sense of security and results in the organization failing to implement other appropriate safeguards to prevent ransom situations from arising.²¹⁴ Cyber insurance can help a healthcare organization regain a functioning network in the face of an attack, but the organization still has an incentive to take other steps to protect its system because cyber insurance typically does not help the organization with respect to HIPAA claims and other liability due to lost patient data.²¹⁵

Requiring Healthcare Organizations to Pass Annual Cyber Inspections and Employ Cyber Guards

HIPAA already places several requirements on healthcare organizations pertaining to electronic protected health information, including a requirement that the organization conduct regular risk analyses on its electronic security measures.²¹⁶ This requirement could be expanded to require healthcare organizations to pass an annual cyber inspection every year by an authorized institution.²¹⁷ Such a requirement would push each healthcare organization to ensure that its electronic protected health information is protected well enough to pass such an inspection.²¹⁸

Furthermore, an alternative solution could be to require healthcare organizations to employ electronic data protection experts to conduct regular performance reviews of the healthcare organization’s security measures.²¹⁹

Conclusion

As data technology advances, the healthcare sector will constantly be adapting to an ever-changing, industry-specific array of threats. Ransomware itself is being modified to overcome the remedies designed to prevent infection in the first place. Some believe that a new variant of ransomware — a variant implementing artificial intelligence technology — is just beyond the horizon. The importance of the services provided by and the information held by healthcare organizations necessitates ongoing attention to this persistent threat.

This article is adapted from the ABA Health Law Section’s new book, Healthcare
Cybersecurity, edited by W. Andrew H. Gantt II. This book pinpoints the current and impending threats to the healthcare industry’s data security, and how to handle and reduce such threats.  For more information, go to www.shopABA.org.

Endnotes

1. DeMuro, P.R., Keeping Internet Pirates at Bay: Ransomware Negotiation in the Healthcare Industry, 41 Nova L. Rev. 349, 359-60 (2017);  Lord, N., Top 10 Biggest Healthcare Data Breaches of All Time, Digital Guardian (June 25, 2018), https://digitalguardian.com/blog/top-10-biggest-healthcare-data-breaches-all-time.
2. Id. In 2016, 3.62 million healthcare consumers were affected by a data attack against Banner Health Center, a healthcare organization in Arizona.  That same year, 3.47 million healthcare consumers were affected by a data breach attack against Newkirk Products, an issuer of various healthcare identification cards.  In 2015, 3.9 million healthcare consumers were affected by a data breach hack launched against Medical Informatics Engineering, a company that engineers healthcare patient records software.  In 2013, Advocate Healthcare, one of the largest healthcare providers in the country, disclosed that 4.03 million healthcare consumers were affected by a healthcare data attack.  Of note, Advocate Healthcare was subsequently sued by consumers in relation to the breach and settled the case in 2016 for $5.55 million.
3. How to Protect Your Networks from Ransomware, U.S. Gov. 2 (last updated 2016), https://www.justice.gov/criminal-ccips/file/872771/download;  Gazet, A., Comparative Analysis of Various Ransomware Virii, 6 J. Computer Virology & Hacking Tech. 77, 77 (2010).
4. O’Gorman, G. &  McDonald, G., Ransomware: A Growing Menace, Symantec Security Response 2 (2016), https://www.01net.it/whitepaper_library/Symantec_Ransomware_Growing_Menace.pdf; Lynne Dunbrack, Providing Outside-In and Inside-Out Protection Against Ransomware and Other Intensifying Cyberthreats, IDC Health Insights 2 (2016).
5. See O’Gorman & McDonald, supra n. 4, at 2.
6. Id. at 3; see also How to Protect Your Networks from Ransomware, supra n. 3, at 2.
7. O’Gorman & McDonald, supra n. 4, at 2; How to Protect Your Networks from Ransomware, supra n. 3, at 6.
8. O’Gorman & McDonald, supra n. 4, at 2; How to Protect Your Networks from Ransomware, supra n. 3, at 2.
9. O’Gorman & McDonald, supra n. 4, at 3.
10. Id. at 4.
11. Id.
12. Id.
13. Id.
14. Id. at 4.
15. Id.
16. Id.; Gazet, supra n. 3, at 77;  Zimmerman, L.N., Ransomware—Your Data for Dollars, J. Kansas Bar Ass’n 16, 16 (2015).
17. See O’Gorman & McDonald, supra n. 4, at 4.
18. Id. at 2.
19. Id. at 4; see also Gazet, supra n. 3, at 77; Zimmerman, supra n. 16, at 16.
20. O’Gorman & McDonald, supra n. 4, at 5.
21. Id.
22. Id. at 4–5.
23. Id. at 5.
24. Id.
25. Id. at 6; see also 10-Minute Guide to Healthcare Ransomware Protection, XTIUM 2, 3, https://www.evolveip.net/resources-library/10-minute-guide-healthcare-ransomeware-protection.
26. O’Gorman & McDonald, supra n. 4, at 2;  Hagland, M., Special Report on Data Security: With the Ransomware Crisis, the Landscape of Data Security Is Shifting, Healthcare Innovation (Oct. 5, 2016), https://www.hcinnovationgroup.com/cybersecurity/article/13026937/special-report-on-data-security-with-the-ransomware-crisis-the-landscape-of-data-security-is-shifting.
27. O’Gorman & McDonald, supra n. 4, at 2.
28. Id. at 4; see also Dunbrack, L., Providing Outside-In and Inside-Out Protection Against Ransomware and Other Intensifying Cyberthreats, IDC Health Insights 1 (July 2016), https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/protection-ransomware-intensifying-cyberthreats.pdf.
29. O’Gorman & McDonald, supra n. 4, at 4.
30. Id.
31. Id.
32. Id.
33. Id.
34. Id.
35. Dunbrack, supra n. 28, at 1–2; Hagland, supra n. 26; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
36. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25; see also Dunbrack, supra n. 28, at 2.
37. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25; see also Dunbrack, supra n. 28, at 2.
38. Dunbrack, supra n. 28, at 10; see also O’Gorman & McDonald, supra n. 4, at 4.
39. How to Protect Your Networks from Ransomware, supra n. 3, at 8.
40. Id.
41. See Dunbrack, supra n. 28, at 2; O’Gorman & McDonald, supra n. 4, at 4.
42. Arndt, R.Z., A Year After WannaCry, Healthcare Organizations Face Mounting Cyberthreats, Modern Healthcare (June 22, 2018), https://www.modernhealthcare.com/article/20180622/TRANSFORMATION02/180629972/a-year-after-wannacry-healthcare-organizations-face-mounting-cyberthreats; United States Computer Emergency Readiness Team, Indicators Associated with WannaCry Ransomware (May 12, 2017), https://www.us-cert.gov/ncas/alerts/TA17-132A.
43. Arndt, supra n. 42.
44. Id.
45. Id.
46. Id.
47. Indicators Associated with WannaCry Ransomware, supra n. 42.
48. Solon, O. & Hern, A., ‘Petya’ Ransomware Attack: What Is it and Can it Be Stopped?, The Guardian (June 28, 2017), https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how; Symantec, Petya Ransomware Outbreak: Here’s What You Need to Know (Oct. 24, 2017), https://www.symantec.com/blogs/threat-intelligence/petya-ransomware-wiper; United States Computer Emergency Readiness Team, Petya Ransomware (July 1, 2017), https://www.us-cert.gov/ncas/alerts/TA17-181A; Hautala, L., After WannaCry and NotPetya, Ransomware Dwindled in 2017, CNet (Jan. 26, 2018), https://www.cnet.com/news/wannacry-notpetya-ransomware-hackers-2017-less-popular-malwarebytes; Greenberg, A., The Untold Story of NotPetya, The Most Devastating Cyberattack in History, Wired (Aug. 22, 2018), https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world; Greenberg, A., New Ransomware Linked to NotPetya Sweeps Russia and Ukraine, Wired (Oct. 24, 2017), https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine;  Hern, A., WannaCry, Petya, NotPetya: How Ransomware Hit the Big Time in 2017, The Guardian (Dec. 30, 2017), https://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomware; United States ComputerEmergency Readiness Team, Ransomware and Recent Variants (Mar. 31, 2016), https://www.us-cert.gov/ncas/alerts/TA16-091A.
49. Dunbrack, supra n. 28, at 2.
50. Id.
51. O’Gorman & McDonald, supra n. 4, at 6.
52. Id.
53. Id.
54. Id.
55. Id.
56. How to Protect Your Networks from Ransomware, supra n. 3, at 2.
57. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25. There are a number of reasons why an organization may choose not to report an attack. How to Protect Your Networks from Ransomware, supra n. 3, at 5. If word gets out that the organization was successfully attacked or, even worse, that the organization paid a hacker’s ransom demands, other cybercriminals may be encouraged to attack the organization upon seeing its willingness to pay or upon discovering its cyber vulnerability. Id. The organization that pays a ransomware hacker may also be met with a negative reputation if word of the payment gets out, because the organization has indirectly financed criminal activity. Id.
58. How to Protect Your Networks from Ransomware, supra n. 3, at 5.
59. Id.
60. Landi, H., Report: Healthcare Industry Workers Lack Basic Cybersecurity Awareness, Healthcare Informatics (Nov. 1, 2016), https://www.hcinnovationgroup.com/cybersecurity/news/13027679/report-healthcare-industry-workers-lack-basic-cybersecurity-awareness.
61. Id.
62. Ponemon Inst., The State of Cybersecurity in Healthcare Organizations in 2016 (2016), http://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/State_of_Healthcare_Cybersecurity_Study.pdf.
63. Id.
64. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
65. Id.
66. Id.
67. Id.
68. Accenture, One in Four U.S. Consumers Have Had Their Healthcare Data Breached, Accenture Survey Reveals (Feb. 20, 2017), https://newsroom.accenture.com/news/one-in-four-us-consumers-have-had-their-healthcare-data-breached-accenture-survey-reveals.htm.
69. Id.
70. Id.
71. Id.
72. Donovan, F., Healthcare Data Breach Costs Remain Highest Among Industries, Health IT Security (July 12, 2018), https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries. A study conducted in 2018 found that, on average, data breaches in the healthcare industry resulted in losses of approximately $408 per record lost. Id.
73. Hagland, supra n. 26.
74. Id.
75. Id.
76. Id.
77. Id.
78. Id.
79. Dunbrack, supra n. 28, at 2.
80. Davis, J., Ransomware Attack Against California Provider Breaches Data of 85,000 Patients, Healthcare IT News (Apr. 26, 2018), https://www.healthcareitnews.com/news/ransomware-attack-against-california-provider-breaches-data-85000-patients.
81. Davis, J.,  Ransomware, Malware Attack Breaches 45,000 Patient Records, Healthcare IT News (July 26, 2018), https://www.healthcareitnews.com/news/ransomware-malware-attack-breaches-45000-patient-records.
82. Davis, J., Ransomware on Fetal Diagnostic Lab Breaches 40,800 Patient Records, Healthcare IT News (Sept. 13, 2018), https://www.healthcareitnews.com/news/ransomware-attack-fetal-diagnostic-lab-breaches-40800-patient-records.
83. Davis, J.,  Update: Ransomware Attack on Cass Regional Shuts Down EHR, Healthcare IT News (July 11, 2018), https://www.healthcareitnews.com/news/update-ransomware-attack-cass-regional-shuts-down-ehr.
84. Donovan, F., HMC Says Ransomware Attack Turned into Healthcare Data Breach, Healthcare IT News (Aug. 30, 2018), https://healthitsecurity.com/news/hmc-says-ransomware-attack-turned-into-healthcare-data-breach.
85. Donovan, F., Ransomware Attack at Iowa Eye Clinic Puts PHI of 40K at Risk, Healthcare IT News (Nov. 1, 2018), https://healthitsecurity.com/news/ransomware-attack-at-iowa-eye-clinic-puts-phi-of-40k-at-risk.
86. See 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25; Beek, C., Healthcare Organizations Must Consider the Financial Impact of Ransomware Attacks, McAfee (last updated 2016), https://www.mcafee.com/blogs/other-blogs/executive-perspectives/healthcare-organizations-must-consider-financial-impact-ransomware-attacks/;  Maruca, W., Hacked Health Records Prized for their Black Market Value, Fox Rothschild LLP: HIPAA and Health Information Technology,  (Mar. 16, 2015), http://hipaahealthlaw.foxrothschild.com/2015/03/articles/articles/hacked-health-records-prized-for-their-black-market-value.
87. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25;  Rossi, B. Why the Healthcare Industry Badly Needs a Cyber Security Health Check, Information Age (Aug. 25, 2015), http://www.information-age.com/why-healthcare-industry-badly-needs-cyber-security-health-check-123460052; Maruca, supra n. 86.
88. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25; Rossi, supra n. 87; Maruca, supra n. 86.
89. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
90. Dunbrack, supra n. 28, at 1–3.
91. Id. at 2–3.
92. Id.
93. Id. at 2.
94. Id. at 3.
95. Id.
96. Id.
97. Id.
98. See id.
99. Id.
100. Id. at 4. Hackers are already using these new technologies to breach healthcare organizations' networks.  Connected technologies including “insulin pumps, heart monitors, and picture archiving and communication systems” have already been hacked in order to gain access to the connected healthcare organization’s network. Id.
101. See U.S. Department of Health & Human Services, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA 1, 3 (2016).
102. See How to Protect Your Networks from Ransomware, supra n. 3, at 2; Zimmerman, supra n. 16, at 16.
103. 45 C.F.R. § 164.402 (2015); see also How to Protect Your Networks from Ransomware, supra n. 3, at 2; Zimmerman, supra n. 16, at 16.
104. U.S. Department of Health & Human Services, OCR Privacy Brief: Summary of the HIPAA Privacy Rule 1 (2003).
105. Id.
106. Id. at 3–4; see also 45 C.F.R. § 160.103 (2005).
107. U.S. Department of Health & Human Services, supra n. 104, at 4.
108. 45 C.F.R. § 164.502(a)(2) (2005); U.S. Department of Health & Human Services, supra n. 104, at 4.
109. 45 C.F.R. § 164.506(c)(1)(i)–(ii) (2005); U.S. Department of Health & Human Services, supra n. 104, at 4–5.
110. Summary of the HIPAA Security Rule, HHS.GOV, http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations (July 26, 2013).
111. Id.
112. Id.
113. Id.
114. 45 C.F.R. § 164.306(a)(2) (2015); Summary of the HIPAA Security Rule, supra n. 110.
115. See 45 C.F.R. §§ 164.306(a)(2), (e); Summary of the HIPAA Security Rule, supra n. 110.
116. See Summary of the HIPAA Security Rule, supra n. 110.
117. Id.
118. 45 C.F.R. § 164.306(a); Summary of the HIPAA Security Rule, supra n. 110.
119. Summary of the HIPAA Security Rule, supra n. 110.
120. See 45 C.F.R. §§ 164.400–.414 (2015).
121. Id.; Breach Notification Rule, HHS.GOV, http://www.hhs.gov/hipaa/for-professionals/breach-notification (July 26, 2013).
122. See 45 C.F.R. § 164.400.
123. 45 C.F.R. § 164.402.
124. Breach Notification Rule, supra n. 121; see also 45 C.F.R. § 164.402(2).(1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;(2) [t]he unauthorized person who used the protected health information or to whom the disclosure was made;(3) [w]hether the protected health information was actually acquired or viewed; and(4) [t]he extent to which the risk to the protected health information has been mitigated. 45 C.F.R. §§ 164.402(2)(i)–(iv).
125. Breach Notification Rule, supra n. 121; see also 45 C.F.R. § 164.406(a) (2015).
126. Healthcare Industry Tops List for Class Action Data Breach Lawsuits, HIPAA J.(Sept. 13, 2017), https://www.hipaajournal.com/healthcare-industry-tops-list-class-action-data-breach-lawsuits-8963.
127. Mulligan J.  & VonderHaar, M., Health Hackers: Questioning the Sufficiency of Remedies When Medical Information Is Compromised, 29 Health L. 29, 30-31 (2016).
128. See In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588, at *5 (N.D. Ill. Sept. 3, 2013); Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011); Forbes v. Wells Fargo Bank, 420 F. Supp. 2d 1018, 1020-21 (D. Minn. 2006); Bell v. Acxiom Corp., No. 4:06CV00485-WRW, 2006 WL 2850042, at *2 (E.D. Ark. Oct. 3, 2006).
129. Hackett, R., What to Know About the Ashley Madison Hack, FORTUNE.COM(Aug. 26, 2015), https://fortune.com/2015/08/26/ashley-madison-hack/.
130. Krebs, B., Online Cheating Site Ashley Madison Hacked, Krebs on Security (July 15, 2015), http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked.
131. Id.
132. Hackett, supra n. 129.
133. Mulligan & VonderHaar, supra n. 127, at 32.
134. Kravets, D., Lawyers Score Big in Settlement for Ashley Madison Cheating Site. Data Breach, ARS Technica (July 17, 2017), https://arstechnica.com/tech-policy/2017/07/sssshhh-claim-your-19-from-ashley-madison-class-action-settlement.
135. Cal. Civ. Code §§ 56-56.16.
136. See How to Protect Your Networks from Ransomware, supra n. 3, at 3, 5.
137. Id. at 3–4.
138. See 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
139. Id.
140. How to Protect Your Networks from Ransomware, supra n. 3, at 4.
141. Dunbrack, supra n. 28, at 2; How to Protect Your Networks from Ransomware, supra n. 3, at 3.
142. How to Protect Your Networks from Ransomware, supra n. 3, at 4. However, there are variants of the ransomware virus that are capable of infecting backups located on cloud-based storage systems if those systems regularly back up the original system automatically. Id. at 6. This method of automatic backup from a cloud-based system is referred to as persistent synchronization. Id. at 4. Healthcare organizations with a persistent synchronization backup network may want to consider utilizing a separate backup network as well. See id.
143. Id.
144. Id. at 3–4.
145. Id. at 4.
146. Id. at 3.
147. Id.; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
148. See How to Protect Your Networks from Ransomware, supra n. 3, at 3. Hackers have used a virus variant that sends an authentic-appearing e-mail to an employee, listing that employee’s employer as the sender. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25. The unsuspecting employee is more likely to open an urgent, yet spam, e-mail from his or her boss than to open an e-mail from an anonymous or unfamiliar sender. Id.
149. How to Protect Your Networks from Ransomware, supra n. 3, at 3.
150. Id. Among these different verification programs are Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). Id.
151. Id.
152. Dunbrack, supra n. 28, at 2; How to Protect Your Networks from Ransomware, supra n. 3, at 3.
153. How to Protect Your Networks from Ransomware, supra n. 3, at 3.
154. Id.
155. Dunbrack, supra n. 28, at 2.
156. How to Protect Your Networks from Ransomware, supra n. 3, at 3.
157. Id.
158. See U.S. Department of Health & Human Services, supra n. 104, at 4.
159. 45 C.F.R. § 164.306(a)(2) (2015); Summary of the HIPAA Security Rule, supra n. 110.
160. See 45 C.F.R. §§ 164.306(e), 164.308(a)(2) (2015); Summary of the HIPAA Security Rule, supra n. 110.
161. 45 C.F.R. § 164.306(a); Summary of the HIPAA Security Rule, supra n. 110.
162. 45 C.F.R. § 164.402 (2015); Breach Notification Rule, supra n. 121.
163. 45 C.F.R. § 164.402; Breach Notification Rule, supra n. 121.
164. See Breach Notification Rule, supra n. 121.
165. See 45 C.F.R. § 164.402; Breach Notification Rule, supra n. 110.
166. How to Protect Your Networks from Ransomware, supra n. 3, at 4–5.
167. Id.; see also Dunbrack, supra n. 28, at 10.
168. How to Protect Your Networks from Ransomware, supra n. 3, at 4; see also Dunbrack, supra n. 28, at 10.
169. How to Protect Your Networks from Ransomware, supra n. 3, at 5; see also Dunbrack, supra n. 28, at 11; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
170. How to Protect Your Networks from Ransomware, supra n. 3, at 5.
171. Id.
172. Id.; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
173. U.S. Dept. of the Treasury, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, (Oct. 1, 2020) available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.
174. 31 C.F.R. part 501, appx. A.
175. How to Protect Your Networks from Ransomware, supra n. 3, at 5.
176. Id.
177. Id.
178. Zimmerman, supra n. 16, at 16. For example, in mid-2014 the U.S. Department of Justice was able to take down an entire malware system being used to launch ransomware attacks. This system was known as Gameover ZeuS. Id.
179. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
180. Zimmerman, supra n. 16, at 16; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
181. See 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
182. Id.; DeMuro, supra n. 1, at 387-88.
183. DeMuro, supra n. 1, at 387-88.
184. Id.
185. Id.
186. Id.
187. Id.
188. Id.
189. Zimmerman, supra n. 16, at 16.
190. Dunbrack, supra n. 28, at 9–11; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
191. See 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25; DeMuro, supra n. 1, at 387-88.
192. DeMuro, supra n. 1, at 387-88.
193. Id.
194. Id.
195. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25. This was the case where a ransomware hacker successfully infected a Kansas-based hospital with the ransomware virus.  The hospital chose to pay the ransom, likely hoping that the first outcome would occur (the hospital regains functioning of its computer systems and the hacker is satisfied with the reward).  However, instead of honoring the agreement, upon receiving the ransom sum, the hacker released only part of the hospital’s operating system.  The hacker then demanded further ransom payments to release the rest of the system—a significant portion of the system—from the ransomware virus.  Thus, while hoping to achieve the first outcome of the possible resolutions to a ransom negotiation, this negotiation ended up with the second outcome, in which the hospital pays the ransom and the ransomware hacker refuses to release the computer system from the virus.  This is a lose-win situation for the hospital and the hacker, respectively. See id.
196. Beek, supra n. 86.
197. Dunbrack, supra n. 28, at 11; Zimmerman, supra n. 16, at 16; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25; DeMuro, supra n. 1, at 387-88.
198. See Dunbrack, supra n. 28, at 11; Zimmerman, supra n. 16, at 16; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25; DeMuro, supra n. 1, at 387-88.
199. See Dunbrack, supra n. 28, at 11; Zimmerman, supra n. 16, at 16; 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25. In fact, if the organization engages with and pays a ransomware hacker, the organization may never regain control over its stolen computer system. 10-Minute Guide to Healthcare Ransomware Protection, supra n. 25.
200. See Zimmerman, supra n. 16, at 16; Hagland, supra n. 26; DeMuro, supra n. 1, at 387-88.
201.  DeMuro, supra n. 1, at 390-91; see also Zimmerman, supra n. 16, at 16; Hagland, supra n. 26.
202. DeMuro, supra n. 1, at 390-91.
203. Id.
204.    Id.
205. Id.
206. Gifford, D.G.,  A Context-Based Theory of Strategy Selection in Legal Negotiation, 46 Ohio St. L.J. 41, 46 (1985); Reynolds, J.W.,  Breaking BATNAS: Negotiation Lessons from Walter White, 45 N.M. L. Rev. 611, 612 (2015); Comput. Crime & Intellectual Prop. Section, U.S. Dep’t of Justice, How to Protect Your Networks From Ransomware 2 (2016), http://www.justice.gov/criminal-ccips/file/872771/download [hereinafter CCIPS  White Paper].
207. DeMuro, supra n. 1, at 390-91; Zimmerman, supra n. 16, at 16; Hagland, supra n. 26.
208. DeMuro, supra note 1, at 390-91; Zimmerman, supra n. 16, at 16; Hagland, supra n. 26.
209. Reynolds, supra n. 206, at 612; CCIPS White Paper, supra n. 206, at 5.
210. See  Bolot J. &  Lelarge, M., Cyber Insurance as an Incentive for Internet Security, in Managing Information Risk and the Economics of Security 269, 273 (M. Eric Johnson ed., 2009);  Majuca, R.P.,  et al., The Evolution of Cyberinsurance 2 (2006);  Richards, K., Is Cyberinsurance Worth the Risk?, TechTarget, http://searchsecurity.techtarget.com/feature/Is-cyberinsurance-worth-the-risk (August 2014). 
211. Trang, M.N., Compulsory Corporate Cyber-Liability Insurance: Outsourcing Data Privacy Regulation to Prevent and Mitigate Data Breaches, 18 Minn. J.L. Sci. & Tech. 389, 407 (2017).
212. See Bolot & Lelarge, supra n. 210, at 270–71; Majuca et al., supra n. 210, at 2–3; Richards, supra n. 210.
213. See Richards, supra n. 210.
214. See Bolot & Lelarge, supra n. 210, at 277; Majuca et al., supra n. 210, at 2–3; Richards, supra n. 210.
215. Bolot & Lelarge, supra n. 210, at 270–71; Majuca et al., supra n. 210, at 2–3; Breach Notification Rule, supra n. 121; Richards, supra n. 210; Summary of HIPAA Security Rule, supra n. 110.
216. 45 C.F.R. § 164.306(a)(1) (2015); see also Breach Notification Rule, supra n. 121; Summary of HIPAA Security Rule, supra note 110.
217. See 45 C.F.R. § 164.306(b)(1); Breach Notification Rule, supra n. 121; Summary of HIPAA Security Rule, supra n. 110.
218. See 45 C.F.R. § 164.306(c); Breach Notification Rule, supra n. 121; Summary of HIPAA Security Rule, supra n. 110.
219. See 45 C.F.R. § 164.308(a)(2) (2015); Summary of HIPAA Security Rule, supra n. 110. HIPAA already requires covered organizations to designate an individual in charge of ensuring that the organization complies with HIPAA-required safeguards pertaining to protected patient information. 45 C.F.R. § 164.308(a)(2); Summary of HIPAA Security Rule, supra n. 110.