The Basics of Ransomware
The History of Ransomware
The early ransomware variants would infect a computer, encrypt certain files in the computer so that the user could not open them without a decryption key, and then demand a ransom payment in exchange for the decryption key in order to access those files.6 The modern-day variants of ransomware are capable of locking an infected computer’s screen, rendering the computer useless to the user.7 The virus then displays a message demanding payment in exchange for regained access to the computer.8 This modern form of ransomware is believed to have originated near Russia.9
Instead of demanding a ransom payment and disclosing the criminal nature of the screen lock, some early forms of ransomware would display a message on the infected computer purporting to be from an authentic source, such as Microsoft, and claiming that to activate the computer, the user must send a text message to a phone number that would charge the user a premium charge for the text.10 The user would be sending what he or she thought was a simple activation text to Microsoft, but in reality the computer had been infected with ransomware and the premium charge from the text message was being collected by the ransomware hacker.11
Another early form of the virus did not attempt to conceal the criminal nature of the ransom: instead of posing as a representative of Microsoft, the hacker would simply display a pornographic image on the user’s screen and lock the screen with the image on display.12 The hacker would then send a message demanding payment through a similar premium charge phone call or text message as used in the Microsoft variant in exchange for removal of the image and regained computer function.13 This version of ransomware was successful because it shamed the computer’s user into paying the ransom. This version lasted for quite some time.14
Starting around 2011, a new ransomware variant was introduced.15 This virus was similar to its predecessor in that it still locked the user’s computer screen or locked the user out of specific computer files.16 The major difference was in the content of the ransom message displayed on the computer user’s screen.17 The new variant displayed messages claiming to be from a government agency, such as the Federal Bureau of Investigation (FBI), or a local law enforcement agency.18 The fake message would inform the user that the computer had been locked because the user had committed a crime and the only way to regain access would be to pay a fine for the crime.19 Interestingly, some forms of the virus used accessible location services to determine where the infected computer is located geographically.20 Determining where the computer is located allows the hacker to custom-design the ransom message to appear more legitimate, e.g., by ensuring that the message is written in the predominant language used in the area where the computer is located and by displaying law enforcement images portraying the agencies existing in that location.21 This new ransomware also abandoned the premium charge text and phone method of collecting its ransoms.22
Modern ransomware hackers now take advantage of online pre-payment methods and virtual currencies, which act similarly to online prepaid functions.23 The computer user loads funds into an online account (to which the hacker has access), using his or her own credit card.24 The hacker then retrieves the funds and decides whether to unlock the victim’s computer or dishonor the agreement.25
How Does Ransomware Infect Computers?
To succeed in their goal of extorting a ransom from their victims, hackers must first infect computers with the ransomware virus.26 Hackers use several different techniques to infect computers with the ransomware virus.27 One of the more common methods is referred to as a drive-by download.28 A drive-by download occurs when the hacker has already succeeded in hacking into a website.29 The hacker then inserts hidden malware onto the website.30 An unsuspecting person visiting the website will automatically be redirected to a second website operated by the hacker, which installs the ransomware onto the person’s computer.31 To allow a website to be hacked into in the first place, the website must have some vulnerability that the hacker can exploit.32
To avoid the hurdle of exploiting an already existing weakness in a website, some hackers legitimately buy advertising space on websites.33 The advertisement may purport to be promoting anything, but once the user clicks on the advertisement, the user is directed to the hacker’s website containing the ransomware virus.34
A different tactic used by hackers is referred to as spear phishing.35 Spear phishing is a hacking technique where the hacker sends a false e-mail to a computer user, often an employee of a company.36 The e-mail may claim to be from the employee’s coworker or supervisor and may instruct the employee to follow a series of tasks, which would actually result in the employee infecting the system with a virus, such as ransomware.37
Other means of infecting computers with a ransomware virus include piggybacking the virus onto a different form of malware already infecting a computer, or by sending out e-mails containing spam along with the virus.38 Ransomware will often be paired with another form of malware designed specifically to steal data and other information located on the infected computer.39 Thus, while the ransomware virus locks the computer and demands ransom from the victim, the additional malware is stealing data from the infected computer.40 Although the version of ransomware that requires a computer user to click on a certain advertisement or e-mail is still commonly used, newer versions of the virus are being developed that rely on vulnerabilities in an organization’s web server.41
The ransomware virus known as “WannaCry” was unleashed in May 2017.42 The virus infected more than 200,000 computers across 150 countries.43 The virus was capable of displaying at least 27 different languages based on the infected computer’s location.44 In the United Kingdom, the WannaCry virus forced the National Health Service’s systems to shut down.45 The virus sought ransom payments in the form of the virtual currency Bitcoin in exchange for regained access to encrypted files.46 Some reports have suggested the WannaCry virus likely infected systems through a vulnerability in Windows operating systems.47 The WannaCry incident brought the ransomware crisis to the forefront of consumer attention and has resulted in ransomware becoming a well-known threat even outside of health and IT security circles.
In 2016 and 2017, there were attacks across Europe involving the “Petya” ransomware variant. In 2017, there were attacks worldwide involving the “NotPetya” ransomware variant. In 2017, the “BadRabbit” ransomware variant infected systems throughout Russia and Ukraine. Throughout 2016, the “Locky” and “Samsam” ransomware variants launched worldwide.48 Most of these attacks were launched indiscriminately against individuals and corporations across a wide range of industries, including the healthcare industry.
If an organization’s web server is unprotected or unpatched, hackers are able to exploit this weakness and infiltrate the organization’s online network.49 Once inside the network, the virus is able to move from the initial hacked computer to other computers using the same network, collect log-in data and credentials from employee staff, steal private stored data, and infect multiple systems with the ransomware virus.50
Ransomware as a Lucrative Crime
The earning prospects for cybercriminals using a ransomware virus vary by country and by virus.51 In one study, a variant of the virus was discovered to have infected approximately 5,700 computers in one day.52 Of this number, 168 users appear to have tried to free their computers by entering a PIN number, which is given to the user by the hacker after the user pays the demanded ransom payment.53 The study demonstrated that the number of users who likely paid the ransom was approximately 2.9 percent of those infected, and the average amount demanded was $200. By this calculation, the hackers extorted $33,600 in ransom payments in a single month using this variant of the ransomware virus.54 Extrapolating this finding to an entire year, the researchers concluded that an estimated $394,400 could be transferred in ransom in a year with this virus if only 2.9 percent of the yearly targets pay the ransom.55
In 2016, on average, more than 4,000 cyber attacks using the ransomware virus had occurred every day.56 The statistics regarding ransomware attacks and ransom payments may represent only a fraction of the total sums extorted from organizations because many organizations do not report being attacked by ransomware hackers, nor do they report paying the hacker a ransom.57
The Threat of Ransomware in the Healthcare Setting
Healthcare organizations are appealing targets to hackers.58 In recent years, healthcare organizations have been targeted by cybercriminals more than most other industries;59 in fact, the healthcare industry has been ranked fifth highest in attacks by ransomware among all industries.60 In one study regarding information technology security in healthcare organizations, researchers found that the healthcare sector suffered from several vulnerabilities in healthcare IT security from lack of awareness, patching issues, and employee error.61 Some research suggests that, on average, healthcare organizations experience a cyber attack almost every single month.62 The same research also suggests that nearly half of the healthcare organizations involved in the study had experienced a cyber attack within the past 12 months in which private patient information was at risk.63
The ransomware virus has been very effective at infecting healthcare organizations.64 Between 2005 and 2014, $57.6 million in ransom payments were made by healthcare organizations to ransomware hackers.65 During these years, ransom payments to hackers ranged from $200 to $10,000.66 In 2015, approximately $24 million in ransom payments were made by healthcare organizations to ransomware hackers.67 In 2017, one study of data breaches in the healthcare sector concluded that one out of four consumers of healthcare services had become victims of healthcare data theft.68 Half of these breaches resulted in identity theft.69 Of the consumers surveyed, the majority had their healthcare data hacked from hospitals, urgent care clinics, or pharmacies.70 Half of these consumers who were the victims of data breaches discovered the data breach on their own, rather than being notified by the healthcare facility holding their healthcare information.71 Furthermore, the costs of a data breach are highest when the breach targets the healthcare industry, compared to other industries, and the costs of data breaches have increased in the past few years.72
On February 12, 2015, Hollywood Presbyterian Medical Center in Hollywood, California, fell prey to a ransomware attack.73 A doctor at the medical center claimed that the medical center’s system “was being held for ransom.”74 Reports indicated that the medical center had lost control of its electronic health record system for more than a week and that the hackers responsible demanded more than $3 million in order to bring the medical center’s system back online.75 The CEO for the medical center later revealed that it had paid approximately $17,000 to the hackers and the hackers had honored their word and restored the medical center’s access to its system.76
A March 28, 2015, incident revealed that integrated systems storing health data were also at risk when a Maryland-based integrated healthcare system was targeted by a ransomware virus.77 The system held the healthcare information of 10 hospitals, and it took several weeks to restore the information systems, during which time the hospitals attempted to function and care for patients as well as possible.78 A single attack on a Maryland-based hospital led to an $18,500 ransom payment.79
In 2018, ransomware attacks launched against healthcare organizations continued. In February, a multi-location orthopedic specialty organization in California underwent a ransomware attack that put the private health information of 85,000 patients at risk.80 In May, a medical practice in Missouri fell victim to a ransomware attack, resulting in the breach of more than 45,000 patient records.81 In June, a fetal diagnostic lab was infected with a ransomware virus breaching approximately 40,800 patient records.82 In July, a hospital center in Missouri was targeted with ransomware and could not access its patient health records because of the virus.83
In July, a health management organization in New Hampshire was the victim of a ransomware attack. The organization paid the ransom and recovered its data, but the private health information of the organization’s patients may still have been available to the ransomware hackers.84 In August, an Iowa-based eye care center was infected by a ransomware virus, exposing the private health information of more than 40,000 patients.85
Healthcare organizations are an appealing target for data hackers.86 Patients’ electronic health records are worth far more than a victim’s credit or debit card number.87 In fact, electronic health records may be worth 10 times more to data hackers than a credit or debit card number.88 In recent years, the volume of U.S.-based ransomware attacks focusing on the healthcare industry has increased.89 Healthcare organizations may be appealing to hackers because every minute could literally be a matter of life and death, and every minute the organization does not have full access to its electronic healthcare information, each patient is at risk, increasing the pressure on healthcare organizations to recover access to their systems by paying the ransomware hackers.90
Healthcare organizations are using and creating more electronic healthcare data than ever before.91 Electronic healthcare data allows healthcare providers different advantages in providing patients with quality care; however, with more data being stored in an online format, hackers have more targets and far more incentive to target the healthcare industry.92 Healthcare organizations are storing “valuable financial, insurance, and demographic data” that can be used, or sold to be used, to commit identity theft.93
As an additional threat, hospital employees and medical staff are now using their personal or organization-provided mobile devices to access private patient health records stored on the organization’s servers.94 Alerts are sent to the mobile devices of healthcare staff to keep them informed of patients’ vital statistics.95 Medical imaging machines are connected to healthcare servers using the internet.96 New technologies, such as smart glasses, are being developed that allow constant health monitoring of patients by healthcare professionals.97 This constant stream of private health information is recorded and digitally sent to the healthcare organization’s servers, where it becomes accessible to the monitoring healthcare professional.98 Older technology, such as copy and fax machines, are also connected to the organization’s servers.99 Unfortunately, these technologies are very vulnerable to cyber attacks.100 It seems that as the technology becomes more innovative, the efforts to secure and protect the information being transmitted by the technologies have not kept up.
The Existing Legal Framework for Ransomware Attacks
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) has become synonymous with private patient healthcare information.101 HIPAA is intertwined with the threat posed by ransomware because the virus may steal electronic private patient information from healthcare providers.102 A ransomware attack may rise to the level of a breach under HIPAA if the hacker actually obtains the protected patient information, which would be an unpermitted disclosure that “compromises the security or privacy of the protected [personal] health information.”103
The HIPAA Privacy Rule
The HIPAA Privacy Rule creates national standards designed to protect private health information.104 The Privacy Rule applies to a certain type of information, known as protected health information.105 Protected health information, also referred to as individually identifiable health information, is information relating to “the individual’s past, present, or future physical or mental health or condition; the provision of healthcare to the individual; or the past, present, or future payment for the provision of healthcare to the individual,” that either identifies a specific person or that can reasonably identify that person.106
Individually identifiable health information cannot be used by entities covered by HIPAA for any reason other than the treatment-related reasons allowed in the Privacy Rule, or if the individual whose information is at issue authorizes, in writing, the information to be used for specific purposes.107 The information cannot be disclosed by covered entities unless it is disclosed to the individuals themselves, upon request, or to certain government agencies if there is an ongoing investigation.108 Covered entities also may use or disclose this information for treatment, payment, and other healthcare operational activities.109
The HIPAA Security Rule
The HIPAA Security Rule requires that entities covered by HIPAA implement measures that can lower an entity’s risk of a cyber attack.110 The Security Rule applies to a specific type of protected health information, referred to as “electronic protected health information.”111 Electronic protected health information is protected health information transmitted by the organization using some electronic means.112
The Security Rule requires organizations to conduct regular risk analyses to detect potential vulnerabilities to the electronic protected health information being stored by the organization.113 The organization then must work to minimize these vulnerabilities.114 Organizations must have protocols in place to detect and prevent malicious software from infecting their computer systems.115 Users of healthcare organizations’ computer systems must be trained on how to protect their systems against malicious software and report any suspicions that malicious software has infected one of the organization’s systems.116
The Security Rule also requires healthcare organizations to use access controls, allowing only necessary users to have access to electronic protected health information.117 The Security Rule requires organizations to conduct risk analyses of all threats to any electronic protected health information generated by the organization or its affiliates to determine if any electronic protected health information is in jeopardy of theft, exposure, or loss.118 Covered entities must also demonstrate that their entire workforce is in compliance with the Security Rule.119
The HIPAA Breach Notification Rule
As an additional incentive to avoid putting electronic protected health information at risk, and to put those negatively affected on alert, HIPAA provides a number of rules requiring healthcare organizations to notify different parties in the case of a breach.120 These provisions are in HIPAA’s Breach Notification Rule.121 The Breach Notification Rule applies to all protected health information, not only electronic protected health information.122
Under title 45, § 164.402 of the Code of Federal Regulations, a breach is defined as: “[T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted, … which compromises the security or privacy of the protected health information.”123 Any impermissible use of protected health information is presumptively a breach requiring notification, unless the covered entity is able to demonstrate that there is a low likelihood that the protected health information was actually compromised.124 If a covered entity commits a breach that involves unsecured protected health information, the entity is required to make disclosures regarding the breach to the U.S. Department of Health and Human Services, any individuals who may be affected by the breach, and, depending on the circumstances, to the public through the media.125
Data Breach Litigation
The healthcare industry has been the subject of more class action lawsuits regarding data breaches than any other industry in recent years.126 To date, there is no commonly recognized theory of liability to hold healthcare organizations accountable for stolen or jeopardized personal healthcare information.
An often-used theory of liability has been the common law of negligence. The two varieties of negligence theory often used in this context are: (1) the healthcare organization owes a nondelegable duty to protect the health information it holds and any attack that jeopardizes this information constitutes a breach of that nondelegable duty; and (2) the healthcare organization provided negligent security increasing the risk of a cyber attack.127
The first theory of liability is grounded in the same context as a premises liability case, in which a property owner owes a duty of care to those on its property. This theory is often hamstrung by the requirement in negligence cases requiring a foreseeable and actual harm.128 Cases brought under this theory often do not succeed because it is difficult or impossible to determine what damage has been sustained by a healthcare consumer whose private health information has been jeopardized.
The second negligence theory is more akin to a negligent security theory, under which the healthcare organization is viewed as having a duty to provide adequate security in protecting private health information; thus, a hack that jeopardizes this information can be the basis of a negligence suit. This theory found traction in the 2015 “Ashley Madison” case.129 Ashley Madison is the name of a company hosting a website for adults committing marital infidelity.130 Hackers were able to breach the company’s servers and threatened to leak users’ information unless the site was shut down.131 Ashley Madison refused and the hackers released the private information of approximately 32 million users.132 Users whose information had been released sued Ashley Madison under several theories, including a negligence theory, pled as negligent data security.133 The case survived several legal hurdles and resulted in a settlement between the affected consumers and Ashley Madison for $11.2 million.134 Although this theory of negligence has been tested, it is still unclear if it will be accepted by most courts in the cyber breach context.
It is also worth noting that, though there is no federal legislative scheme for cyber liability in hacking cases, California has passed such a law, specifically in the private health information context, based on breach of privacy, called the Confidentiality of Medical Information Act.135 Similarly, common law causes of action based on invasion of privacy may also present valid remedies to consumers whose health information has been put at risk by hackers.
Preventing and Managing a Ransomware Attack
Preventing a Ransomware Attack
Of course, never ending up in a situation where one has to negotiate with a ransomware hacker is the most effective means of protecting a healthcare organization’s information and resources.136 The U.S. government has encouraged systems administrators and computer users to take certain preventive steps to lower the risk of a successful ransomware attack.137
The Importance of Backing Up Data
Backing up all electronic data to a secured backup location can prevent a terrible situation from becoming a nightmare.138 A healthcare organization with a secured, isolated backup at a remote location can restore its computer systems in approximately four hours.139 These backups should be tested and assessed annually to ensure that they can protect against a ransomware threat.140 Once a computer is infected with ransomware, the virus can move between computers using the same network, which is why it is imperative to store backup data outside of the original network to ensure that it would not be exposed to the virus.141 External backups can be stored in a cloud-based system or in physical form.142
Controlling Access to Operating Systems
Perhaps not all healthcare organization staff members require access to the organization’s shared network to perform their tasks; therefore, access to the network can be limited based on priority.143 Administrative access to shared networks should be granted only if necessary; limiting the use of access can reduce the window of opportunity that a ransomware hacker has to infiltrate the network.144 Access controls can also be used to limit the files a user is able to access, thus controlling the potential danger zones a user can access.145
Monitoring Inbound and Outbound E-Mails
Although newer versions of the ransomware virus no longer require an employee to open a dangerous e-mail, the older virus is still being used and other viruses are also dispatched in this manner.146 Known as phishing e-mails, these e-mails only pose a threat if they are opened by an employee.147 Although training and awareness programs can be effective at reducing the risk of an employee opening these false e-mails, some hackers are very skilled at making such e-mails appear authentic and important.148 Along with a prevention training program, healthcare organizations should make efforts to ensure that these e-mails never reach their employees in the first place.149 Spam filters can be enabled to detect these malicious e-mails, and authentication technologies are available to detect e-mails being sent from unknown locations.150 System administrators should also monitor inbound and outbound e-mails for suspicious activity.151
The Risk of Human Error
Although not all versions of the ransomware virus depend on human action, many versions infect computers by deceiving computer users into clicking links or opening e-mails.152 One of the simplest preventive steps a healthcare organization can take to defend itself from ransomware attacks is to inform its personnel of the risk posed by ransomware; common methods by which the virus is used to infect computers; and actions to avoid while using a healthcare server, such as clicking on advertisements, browsing unnecessary websites, or opening e-mails that seem in any way suspicious.153 A training and awareness program specific to the threat of ransomware, along with periodic reminders, can go a long way toward preventing an attack.154
As mentioned earlier, some variants of ransomware are able to breach an organization’s shared network due to vulnerabilities or unpatched areas in the system’s network.155 The risk of this type of ransomware variant being successful can be mitigated by employing a patch management system to detect and prevent holes in the system’s network.156 Other, more common methods of defending computer systems include setting up firewalls that block unknown IP addresses and ensuring that anti-virus and anti-malware settings are set to scan for threats.157
How HIPAA Helps
If complied with, HIPAA’s numerous provisions can aid a healthcare organization in protecting itself from ransomware and all other cyber attacks.158 HIPAA’s Security Rule requires organizations covered by the law to implement a risk assessment plan and actively minimize the cybersecurity risks identified in the plan.159 The Security Rule also requires covered organizations to train personnel who have access to electronic protected health information and to designate a security official in charge of managing access to electronic protected health information.160 Furthermore, the Security Rule requires covered organizations to impose access controls regarding which employees may access this information.161
HIPAA’s Breach Notification Rule imposes disclosure requirements on organizations that experience certain types of breaches pertaining to their stored protected health information.162 The Rule requires healthcare organizations to disclose breaches of certain magnitudes to the individuals affected, the press, or the government.163 These requirements, plus the possibility of penalties as a result of the breach, encourage healthcare organizations to abide by HIPAA’s Privacy and Security Rule provisions, which can minimize the risk of a ransomware attack in the first place.164 These disclosure requirements also help to inform individuals affected by a data breach, to enable them to take steps to protect themselves.165
Managing a Ransomware Attack
If a computer or operating system is infected with the ransomware virus, the U.S. government suggests that the organization take certain steps to deal with the attack.166 If the virus is detected early enough that it has only infected one or a small number of computers, those computers should be disconnected from the organization’s network to prevent the virus from spreading further.167 If there are computers that have been infected, but not entirely disabled, these computers should also be disconnected from the network and shut down.168 If the organization has a backup system, this should be monitored to ensure it has not been infected by the virus, and if the backup is connected to the same network as the original system, the backup should be disconnected from the network.169 The U.S. government also recommends that organizations contact the FBI or the Secret Service if they fall victim to a ransomware attack.170 The organization should then secure as much of its uninfected system as possible and change any passwords associated with the network, if possible.171
The U.S. government does not recommend paying ransoms to ransomware hackers.172 In fact, On October 1, 2020, in the face of rising ransomware attacks throughout the Covid-19 pandemic, the U.S. Department of the Treasury published its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.173 The Advisory notes that institutions often involved in facilitating payments to ransomware hackers, including cyber insurers, digital forensics firms, and financial institutions are part of the ransomware problem in that they encourage hackers to continue deploying the virus and that these institutions may actually be in violation of the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions regulations. Specifically, OFAC designates malicious actors under its cyber sanctions program and prohibits U.S. organizations from providing material support to these malicious actors. Several active cybercriminal organizations as well as the developers of certain successful ransomware variants have been labeled as malicious actors by OFAC and thus financial payments to these actors are prohibited.
In the context of a ransomware attack, the victim of the attack, its insurer, a digital forensics organization hired to provide support, a financial institution, or any other entity (although not explicitly mentioned in the advisory, law firms that assist in these payments would also likely be subject to the same rules) involved in the attack response would be prohibited from making any form of payment to the hacker in exchange for the release and/or non-disclosure of the compromised data if the hacker has been designated a malicious actor under OFAC’s cyber sanctions program. The clear issue that arises here is that determining the identity of a ransomware hacker is often beyond the ability of non-government organizations, particularly when these organizations are primarily concerned with protecting their compromised data and mitigating the harm of an ongoing ransomware attack. In deciding whether to make a ransom payment, cyber response teams will now need to weigh the possibility of penalties if they cannot ascertain the identity of their attacker.
The Department of the Treasury Advisory provides guidance on the penalties that may be imposed on those who pay ransomware hackers as well. Importantly, the Advisory makes clear that entities may be held liable for payments to ransomware hackers even if they are unaware of a legal violation under a strict liability scheme. The Advisory also references a penalty schedule provided in 31 C.F.R. part 501, appx. A with the severity of the monetary penalty dependent on the amount paid to a ransomware hacker.174
OFAC has discretion regarding whether, and to what extent, it will penalize entities making payments to ransomware hackers. The factors OFAC will weigh in determining the severity of a penalty for violating this prohibition are found in the Code of Federal Regulations and include: (1) whether the violation of OFAC’s regulation was willful or reckless; (2) whether the at-fault party was aware of its own conduct; (3) the harm to the goals of OFAC’s cyber sanctions program; (4) the characteristics specific to the at-fault party, including its size and commercial sophistication; (5) whether the party had a cyber compliance program in place; (6) the remedial actions taken by the party; and (7) the party’s cooperation with OFAC throughout the investigative process.
The U.S. government recommends that organizations infected with ransomware make contact with law enforcement.175 Law enforcement agencies such as the Secret Service or the FBI may be able to tap into helpful resources to which the organization — acting alone — would not have access.176 One such resource would be the international law enforcement community, which can aid in tracking down international hackers or foreign variants of the virus.177 Although notifying law enforcement may seem futile or embarrassing in ransomware cases, law enforcement officials have been successful in several ransomware cases.178
Despite these best practices, all organizations face a good possibility of being attacked successfully by a ransomware hacker.179 Healthcare organizations, along with each and every one of their users, must be vigilant at all times to prevent these attacks; a ransomware hacker only has to be successful once.180 This state of being constantly on the defense does not bode well for healthcare organizations: sooner or later, many organizations will find themselves negotiating with ransomware hackers.181
Negotiating with Ransomware Hackers
If ransomware hackers are able to infect a healthcare organization’s system with a virus, the organization is faced with two options: (1) pay the ransom or (2) do not pay the ransom.182 Paying the ransom is the only realistic hope of having the virus removed from the system.183 However, paying the ransom with the hope that the virus will be lifted rests on a number of assumptions.184 First, if getting rid of the virus depends on a decryption key to unlock the infected computer, the organization is assuming that if it pays, the hacker will actually give it the decryption key.185 Second, the organization assumes that if it is given a decryption key, the key will actually work and remove the virus.186 Third, the organization assumes that if the decryption key is provided and effectively removes the virus, the virus will be removed from all of its systems and not just some of its systems.187 Fourth, the organization assumes that the ransomware hackers will not simply hack it again after seeing their efforts rewarded.188 However, refusing to pay the ransom will result in practically zero chance of lifting the virus, a situation which, when dealing with healthcare organizations, can result in lost time, resources, and patient information, all of which can be especially critical in the healthcare context.189 However, this may be an acceptable loss if the proper protocols have been adhered to.190
The various interests of the opposing parties in the ransomware scenario must also be considered and each outcome predicted when deciding whether or not to pay ransom demands. As noted earlier, the successfully hacked healthcare organization may either pay the ransom or refuse to pay the ransom.191 The successful hacker may either release the hostage computer system, along with all of its data, or refuse to release the system, leaving it infected and unusable.192 The only win-win situation here occurs when the healthcare organization pays the ransom and the ransomware hacker releases the computer system.193 The healthcare organization will regain its ability to function and provide healthcare services and the ransomware hacker will have realized its financial goal.194
A second resolution situation arises when the healthcare organization decides to pay the ransom demand, but the ransomware hacker refuses to release the computer system from the virus despite the payment. This resolution happens rather often, unfortunately, because ransomware hackers are not the most honest of criminals, making payment of ransom demands a less-than-appealing option.195 This is a lose-win situation for the healthcare organization and the hacker, respectively. The next outcome, in which the healthcare organization decides not to pay the ransom demand and the ransomware hacker chooses to release the hostage computer system, is a win-lose outcome favoring the healthcare organization. This outcome will almost never occur, because the ransomware hackers have already succeeded in attacking the organization’s computer system, and therefore are in a superior bargaining position, making them unlikely to act contrary to their own interests. The final outcome — in which the healthcare organization chooses not to pay the demanded ransom, and the hacker chooses not to release the hostage computer system—is a lose-lose scenario in which the organization will not recover its system, and the hacker will not realize its financial goal.
This outcome-based framework for analyzing ransomware negotiations has several drawbacks. Each option cannot be given equal weight, because the outcome in which the healthcare organization does not pay the ransom and the ransomware hacker releases the computer system will almost certainly not occur; the outcome in which the healthcare organization pays the ransom and the hacker does not release the parts of, or the entire computer system, is a possibility and has occurred in the past. The situation in which the healthcare organization pays the ransom and the hacker releases the computer system is actually not a win at all for the healthcare organization; in fact, it is a serious loss. The healthcare organization will have lost resources for the amount used to pay the hacker, the downtime suffered during the negotiation and — worst of all — will have lost any stolen protected patient information.196
However, if the healthcare organization has adhered to the best practices for preventing a ransomware attack prior to being attacked, it will have backed up all of its electronic information onto a separate server, safe from the ransomware attack.197 This action would mitigate the potential damage if the organization chooses not to pay the ransom and does not recover the system controlled by the hacker.198 A system backup further allows the organization to recommence operation much faster than would be possible if the organization has to engage in negotiations with the hacker.199 This scenario makes the lose-lose outcome more appealing, especially considering that at any point after a ransomware hacker takes control of a computer system, a hacker could steal protected patient data.200 Thus, under any of the four outcomes, protected patient data could be stolen, resulting in a significant loss for the healthcare organization and its patients.201
Arguments in Favor of Paying Ransoms to Ransomware Hackers
The arguments in favor of paying ransoms to ransomware hackers include the possibility of recovering the hostage data and the notion that ransom negotiators should not limit their options by removing the possibility of paying a ransom. However, the digital nature of the hacker ransom demand transaction can allow hackers to back out on their side of the agreement with relative ease.202 When both sides of a ransom negotiation are entirely digital, the possibility of recovering the hostage data decreases substantially.203
Arguments Opposed to Paying Ransoms to Ransomware Hackers
The arguments against paying ransoms to ransomware hackers include the idea that ransom payments will only further the ransomware hacking enterprise; that paying a ransom may expose the organization as vulnerable and willing to pay out, which encourages future ransomware attacks; and that ransomware hackers may simply accept the ransom payment and sell the ransomed data on the black market.204 These arguments are compelling in part because they have been proven accurate based on ransomware attacks on healthcare organizations in the past.205 However, imposing an outright ban on healthcare organizations paying ransom payments to ransomware hackers would unnecessarily deprive negotiators of a valuable option in the negotiation.206 Furthermore, there may be nothing to be gained by depriving healthcare organizations of the right to pay ransom to ransomware hackers, because, even if they are fully aware that healthcare organizations are banned from paying,207 the hackers still have an incentive to hack the organizations to steal their valuable, protected patient data. They may demand ransom payments anyway, hoping that the organizations will pay regardless of the ban, perhaps to make the problem go away quietly.208
Alternative Future Solutions to the Ransomware Problem
Although an outright ban on ransom payments to ransomware hackers may be too restrictive of negotiators’ options, other alternative solutions can be employed to help combat the issue using legal alternatives.209
Imposing a Tax on Ransomware Payments to Be Used for Anti-Hacking Efforts
An alternative method of reducing the incentives of cyber-ransom negotiators to pay a ransom, and of ransomware hackers to infect computers, is to impose a tax on cyber-ransom payments made, with the proceeds being used to combat the ransomware problem. In the ransomware context, a federal tax could be imposed on all ransom payments made to ransomware hackers and the proceeds could be used to fund federal efforts to prevent cyber attacks. Such a tax reduces the incentive of healthcare organizations to pay ransoms to ransomware hackers because doing so would result in them having to pay an additional sum on top of the ransom payment. The tax also reduces the incentive of ransomware hackers to demand ransom from these organizations, because doing so will indirectly fund government efforts aimed at preventing cyber attacks in the first place. The major shortfall of this alternative approach is that healthcare organizations may be even less likely to report ransomware incidents so as to avoid the imposition of the tax.
Prohibiting Insurance Coverage for Ransomware Attacks
Noting the rising threat of cyberhacking in today’s world, many different forms of cyber insurance are now available to organizations.210 Although general liability insurers have refused to provide coverage for damage arising from cyber attacks, cyber insurance specifically seeks to cover insured entities for the cost of digital loss and repair following a cyber attack on the insured’s computer network.211 Healthcare organizations have an incentive to purchase cyber insurance, as coverage can aid an organization financially in recovering from a debilitating attack.212 Many organizations choose not to purchase cyber insurance because, among other reasons, the organization does not want to disclose that its system has been compromised following an attack. Doing so may expose the organization as vulnerable to future attacks.213
Although some might argue that ransom-based insurance policies promote security because the occurrence of successful cyber attacks is nearly inevitable, others argue that this type of coverage only lulls covered organizations into a false sense of security and results in the organization failing to implement other appropriate safeguards to prevent ransom situations from arising.214 Cyber insurance can help a healthcare organization regain a functioning network in the face of an attack, but the organization still has an incentive to take other steps to protect its system because cyber insurance typically does not help the organization with respect to HIPAA claims and other liability due to lost patient data.215
Requiring Healthcare Organizations to Pass Annual Cyber Inspections and Employ Cyber Guards
HIPAA already places several requirements on healthcare organizations pertaining to electronic protected health information, including a requirement that the organization conduct regular risk analyses on its electronic security measures.216 This requirement could be expanded to require healthcare organizations to pass an annual cyber inspection every year by an authorized institution.217 Such a requirement would push each healthcare organization to ensure that its electronic protected health information is protected well enough to pass such an inspection.218
Furthermore, an alternative solution could be to require healthcare organizations to employ electronic data protection experts to conduct regular performance reviews of the healthcare organization’s security measures.219
As data technology advances, the healthcare sector will constantly be adapting to an ever-changing, industry-specific array of threats. Ransomware itself is being modified to overcome the remedies designed to prevent infection in the first place. Some believe that a new variant of ransomware — a variant implementing artificial intelligence technology — is just beyond the horizon. The importance of the services provided by and the information held by healthcare organizations necessitates ongoing attention to this persistent threat.
This article is adapted from the ABA Health Law Section’s new book, Healthcare
Cybersecurity, edited by W. Andrew H. Gantt II. This book pinpoints the current and impending threats to the healthcare industry’s data security, and how to handle and reduce such threats. For more information, go to www.shopABA.org.