On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States Department of Health and Human Services (HHS) issued Alert AA20-302A (Alert) which describes recent ransomware attacks by criminal groups exploiting healthcare institutions and the distractions caused by the current pandemic and election cycle.
Of particular note is that healthcare providers across four different states have already fallen victim and that 400 more are reportedly on a list of targets circulating among criminal organizations. When ransomware penetrates a provider’s network, it often encrypts data and deletes backups before the ransom request is issued. While it is debatable whether the ransom should be paid, most government agencies advise against doing so as such payments (1) incentivize the criminal activity and (2) do not guarantee recovery of data or the end of the ordeal. Cybercriminals are typically not good on their word and, even if they are, once PHI is encrypted by ransomware it is presumed compromised from a HIPAA perspective and triggers breach notifications obligations.
To help mitigate risk exposure: (1) healthcare providers must assume that ransomware is already within their networks; (2) executives must be ready to activate business continuity plans; and (3) IT departments must patch software, inspect audit logs and implement multifactor authentication across their systems. Additionally, providers should consider joining a healthcare Information Sharing and Analysis Center/Organization (ISAC/ISAO), which offers the opportunity to receive critical information and services to help manage the risks of ransomware. Providers should also adopt the “3-2-1 Rule” for backing up data which calls for three copies of all critical data sets, stored on at least two different types of media, and with at least one of the media formats stored offline.