June 27, 2016 Articles

The Emergence of Ransomware as a Threat to Healthcare Providers

Hospitals have been a frequent and well-publicized target of ransomware attacks.

By Adam B. Peck and Eric W. Shannon

The dangers of cyber crime are not new. The spread of the ILOVEYOU virus in 2000 made many keenly aware, for the first time, of the threat posed by highly computer literate individuals with malicious intent. Recent high-profile events have shifted the focus from the vulnerability of individuals’ home computers to the larger scale dangers posed to servers, networks, and other digital systems owned and operated by businesses and other entities. Electronic data breaches affecting retailers, insurers, and even the United States government have touched hundreds of millions of individuals and made organizations more conscious of their cyber insecurity. In response to this new wave of cyber threats, organizations must be vigilant about emerging dangers and must react accordingly to protect their systems, prevent damage, and minimize their potential liability. One threat that has existed for years but recently risen in popularity among cyber criminals is the use of ransomware. Ransomware attacks pose a unique threat to healthcare providers such as hospitals, which are increasingly relying on electronic records and systems to carry out day-to-day operations.

What Is Ransomware?
Ransomware is, at its most basic level, a species of computer virus with a relatively simple function. Rather than destroy a system or hijack it for third-party use, it locks data on the targeted computer hard drive or system. The user can regain access to its files only by entering a decryption key, which hackers will helpfully provide in return for a small (or sometimes not-so-small) payment, most often in the form of virtually untraceable e-currency like Bitcoin. Most ransomware attacks begin with the user unwittingly downloading the virus from a malicious link in an email or clicking on an infected advertisement—even ads displayed on reputable websites may be vulnerable. A ransomware virus can target an individual computer, or its reach may extend to other computers on a shared network.

For many years, hackers have been targeting personal computers in private homes with a fair degree of financial success. Many individuals pay relatively small ransoms of a few hundred dollars out of fear of losing important files like family photos. Some ransomware viruses also employ scare tactics, displaying realistic messages purportedly from organizations like the Federal Bureau of Investigation accusing the user of accessing illegal websites or materials, and couching the demanded ransom as a fine. More recently, however, there has been a surge in attacks on organizations, particularly those that provide critical services. Schools, state and local governments, law enforcement agencies, and healthcare providers have all been marked as targets, with attackers demanding much larger sums from organizations that cannot risk losing their data and have shown a willingness to pay the ransom.

Hospitals Make Easy (and Lucrative) Targets
Hospitals have been a frequent and well-publicized target of ransomware attacks. Delivering consistent and effective treatment is a primary mission of all healthcare providers, and any impediment to such delivery presents a threat. If forced to choose, many hospitals would pay a ransom in the tens of thousands of dollars rather than losing access (even temporarily) to records or critical computer services. Interruptions in hospital systems could easily put patients’ safety at risk and expose the hospital to financial liability exponentially greater than the ransom itself. Not only are hospitals an appealing target, but there are also known flaws in certain versions of healthcare record management software, which many information technology (IT) departments have been lax in updating.

Recent attacks have followed a fairly predictable pattern: Hackers block access to a critical system or records and demand payment in Bitcoin, and the hospital pays. For example, in January of this year, a small hospital in Texas called Titus Regional Medical came under attack. A ransomware virus blocked all access to patient records. Interdepartmental communication systems, such as lab and pharmacy requests, were also locked down. Titus paid the ransom. While waiting for access to be restored, the hospital reverted to the pre-computer era and used paper records.

The very next month, Hollywood Presbyterian, a hospital in Los Angeles with more than 400 beds, suffered a similar attack. This ransomware virus specifically targeted communication systems. Email, along with every other internal messaging program, was taken off-line. Just as in Texas, Hollywood Presbyterian resorted to using hard copies hand-delivered around the hospital. The reversion to paper records was merely a stopgap, however; Hollywood Presbyterian too paid the ransom, amounting to about $17,000. Even so, it was over a week before operations were fully restored. There have been media reports of ransomware attacks on at least half a dozen more hospitals in the past few months, and this trend shows no sign of slowing down.

Statutory Concerns: Mostly HIPAA, Maybe CISA?
Whenever private healthcare information is implicated in any sort of data or cybersecurity breach, the natural first thought for healthcare litigators is, Has there been a violation of HIPAA? Whether the Health Insurance Portability and Accountability Act has been implicated when a hospital comes under attack from ransomware is often unclear. Ransomware attacks differ from other breaches of healthcare data systems. Unlike the attack on Anthem health insurance, for example, which resulted in the theft and exposure of a range of personally identifiable information for almost 80 million individuals, attacks like the ones on Titus Regional and Hollywood Presbyterian have generally not resulted in the release of any protected health information, or PHI.

So far, apart from coverage by the news media, healthcare providers generally have not taken steps to inform their patients of ransomware attacks in the way they would a traditional data breach. The Department of Health and Human Services’ Office of Civil Rights (OCR) requires disclosure of medical record breaches affecting 500 or more individuals. Healthcare providers’ “ransomware reticence” likely stems from HIPAA’s definition of “breach” to mean “acquisition, access, or disclosure of protected health information.” 45 C.F.R. § 164.402 (emphasis added). Whether ransomware involves “accessing” protected health information, triggering breach notification requirements under HIPAA, is hotly debated. Hospitals would argue (where relevant) that healthcare records, if they are involved at all, are encrypted and thus not “accessed” because the hackers never read or exposed their contents. This argument aligns directly with one of the four enumerated exclusion factors in section 164.402(2)(iii), which permits companies not to report a breach based in part on “whether the protected health information was actually acquired or viewed.” In a ransomware context, hackers are locking the door and withholding the key, not attempting to view or misappropriate anything from within.

Less debatable—and worth noting—are ex ante security requirements mandated by HIPAA, which could mitigate the damage caused by ransomware. Entities covered by HIPAA are required to “implement policies and procedures to protect electronic [PHI] from improper alteration or destruction” and to put in place measures to ensure that electronic PHI “has not been altered or destroyed in an unauthorized manner.” 45 C.F.R. § 164.314(c). Further, covered entities and their business associates are required to adopt a contingency plan for an event that “damages systems that contain electronic [PHI],” including (1) a data backup component under which the entity maintains “retrievable exact copies” of electronic PHI, and (2) a disaster recovery component under which the entity can “restore any loss of data.” 45 C.F.R. § 164.308(a)(7).

If breach notification obligations following ransomware attacks are not clearly articulated within existing federal law governing health records and data breaches, a natural question is whether the law should be updated. Breach notification can impose substantial costs on affected entities. Where the healthcare provider can show that information was not viewed, the benefit to patients of being informed that a ransomware attack has taken place may not outweigh the cost of direct notification. At least one federal lawmaker, Representative Ted Lieu of California, has publicly floated the idea of amending HIPAA to specifically require notification of ransomware attacks. Marianne McGee, “Ransomware: Time for a HIPAA Update?,” InfoRisk Today, Mar. 29, 2016.

Reporting these attacks, at least to OCR, would serve an important function: Aggregating data on the frequency and form of ransomware attacks is a crucial step in developing stronger prevention and response strategies. The government has recognized and applied this strategy in countering cyber crime more generally in passing the Cybersecurity Information Sharing Act (CISA) in late 2015. Surveillance objections aside, CISA specifically authorizes OCR to create a task force to facilitate information sharing on cyber threats in the healthcare industry. Ransomware is just such a threat, and the more information the OCR can collect on attacks, the better the OCR can advise the healthcare industry on how to manage this risk.

How Should Health Care Providers Proceed?
No computer system is unbreachable, and hackers will always find a way in (or create one). Even within highly sophisticated networks, a single click of human error can give hackers a foothold. However, there are a number of steps hospitals and other healthcare providers can take to reduce their chances of falling victim to a damaging ransomware attack, keeping patients safe and operations financially secure:

  • Back up data regularly. Always keep a second set of records. Back up critical documents regularly, and make sure that backups are secure and will not fall prey to an attack on the primary system. With proper backups available, healthcare providers may not feel quite the same urgent need to pay a ransom.
  • Patch software. Outdated software often has known flaws, and developers are constantly making adjustments to fix detected vulnerabilities. Take advantage of these efforts, and patch or update software regularly.
  • Invest in IT. Have a strong IT team in place and ensure that antivirus or anti-malware software is scanning systems regularly. An IT team can manage network permissions and implement controls to inhibit malware from entering the system through common vectors. Detection and containment are critical to avoiding damage from ransomware.
  • Provide regular (and topical) employee training. Make sure to keep employees informed about best practices in cyber risk management. Keep them up to date with known phishing scams, and remind them that they should never click on a link or download a file contained in an email from an unknown sender.
  • Have an emergency plan. All companies, hospitals included, should have a plan of action in the event that data are stolen or computer systems are compromised. Ransomware attacks are no different. Hospitals should be ready to respond to an attack at a moment’s notice so that the damage and interruption caused by a ransomware attack can be minimized.

Keywords: litigation, health law, ransomware, hospitals, HIPAA, CISA

Adam B. Peck is a law student at Columbia University and is currently a summer associate at Debevoise & Plimpton LLP, in New York City, New York. Eric W. Shannon is an associate at Debevoise & Plimpton LLP, also in its New York City, New York, office.

Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).