[vc_row full_width=”stretch_row” gap=”35″][vc_column][vc_column_text]<\/p>\n
On Thanksgiving Day, 2023, Ardent Health Services, which owns and operates 30 hospitals and over 200 sites of care in six states, recognized that it was the victim of a ransomware attack. In response<\/a>, the organization \u201cproactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs.\u201d<\/p>\n Essentially deprived of the technologies that have become the lifeblood of modern healthcare systems, Ardent-affiliated hospitals scrambled to cope. Emergency rooms went to divert status and some non-emergent, elective procedures were temporarily postponed. Staff at one hospital described working without access to electronic health records as \u201cchaotic<\/a>.” Not able to use\u00a0Epic\u2019s My Chart system, patients had to find workarounds<\/a> to obtain prescription refills.<\/p>\n The Ardent case was just one of hundreds<\/a> of cyberattacks on healthcare reported in 2023 and the associated ransom demand\u2014the specifics of which remain unknown\u2014is emblematic of a growing problem for the healthcare sector.<\/p>\n In the decades since the first<\/a> ransomware attack was delivered to AIDS researchers on floppy discs in 1989, cyberattacks in general and ransomware attacks in particular have grown in both sophistication and cost. The healthcare sector, which represents<\/a> nearly a fifth of the U.S. economy and is replete with protected health information (PHI) and personally identifiable information (PII), remains a favorite target among cybercriminals. In 2022, healthcare remained the primary target for critical infrastructure attacks, suffering nearly 25% of all ransomware incidents.<\/p>\n According to the American Hospital Association (AHA), there was a \u201cdramatic increase<\/a> in cyberattacks targeting hospitals and health systems\u201d during the COVID-19 pandemic. As cybercriminals increasingly target small and rural hospitals, which generally have weaker defense systems, the average recovery duration has become longer.<\/p>\n It isn\u2019t just hospitals. As researchers raced to develop vaccines and treatments for COVID-19 in 2020, hackers presumed<\/a> to be associated with North Korea attempted to breach the information systems of global pharmaceutical company AstraZeneca. Drug development and research were further threatened when eResearchTechnology (ERT), which develops software used in clinical trials, was hit<\/a> by a ransomware attack in 2021.<\/p>\n In 2023, several large pharmaceutical companies reported ransomware attacks. In March, Sun Pharmaceuticals of Mumbai alerted<\/a> the National Stock Exchange of India to \u201ca breach of certain file systems and the theft of certain company data and personal data.\u201d Following this, Granules India\u00a0reported<\/a> an IT breach\u00a0for which the Russia-based LockBIt<\/a> subsequently claimed<\/a> responsibility. And, even as it celebrated the success of its Alzheimer\u2019s drug Leqembi last summer, Japan\u2019s Eisai acknowledged<\/a> an attack on \u201csome\u201d of its servers.<\/p>\n According to IBM Security\u2019s report<\/a>, the average data breach in the healthcare sector costs $10.93 million\u2014one and a half times the cost of a breach in 2020.<\/p>\n But the damage isn\u2019t only monetary.<\/p>\n In Germany, a delay in care after a ransomware attack on D\u00fcsseldorf University Hospital resulted<\/a> in a patient\u2019s death. Additional research in the United States indicates that ransomware attacks were responsible for between 42 to 67 Medicare patients’ deaths between 2016 and 2021.<\/p>\n In a cybersecurity advisory<\/a> issued in November, JRiggi, AHA\u2019s National Advisor for Cybersecurity and Risk stated, \u201cRansomware attacks against hospitals are not financial crimes; they are acts of cyber terrorism and threat-to-life crimes.\u201d<\/p>\n Cyberattacks typically begin with malware<\/a>, or malicious software. This may take one of several forms, notably Trojans or worms.<\/p>\n Trojans, named after the Greek Trojan Horse, are represented to users as benign downloads or legitimate software. Users are tricked into loading and executing the Trojan on their computers, resulting in unauthorized access to their system. Trojans do not replicate themselves, which means they require user interaction to be installed or spread to other systems. Trojans can serve as \u201cloaders\u201d for additional malware.<\/p>\n In contrast, a worm is a standalone malware program that replicates itself to spread to other computers. Unlike a Trojan, it does not need to attach itself to an existing program or rely on human action to propagate. Worms typically exploit vulnerabilities in operating systems or other software to spread across networks, causing widespread damage. While Trojans are more about deceptive entry at a single computer, worms are focused on rapid and autonomous propagation to infect as many devices as possible.<\/p>\n Ransomware is a specific type of malware that encrypts the victim’s files or locks the user out of their device and is accompanied by a ransom demand for the restoration of access. While malware\u2019s data breaches allow a hacker to immediately steal information from a system, the primary goal of ransomware is to extort money from its victims. Attackers typically demand payment in cryptocurrency in exchange for a key which will allow access to the encrypted data or locked system. A hacker may demonstrate the legitimacy of a key by unlocking a single file or process. If their demands are ignored, they may begin publishing stolen data on the internet to taunt a victim and raise the stakes.<\/p>\n The risk of ransomware attacks on healthcare organizations has been elevated by ransomware-as-a-service (RaaS<\/a>), a model in which the creators or operators of ransomware make their malicious software available for use or purchase by other criminals, typically on the so-called dark web.<\/p>\n RaaS makes ransomware readily available to a wider pool of attackers, including those with limited technological skills. Providers of RaaS such as BlackCat\/ALPHV<\/a>, a group which has long played a game of cat-and-mouse<\/a> with the Federal Bureau of Investigation (FBI), offer a range of services beyond the ransomware itself. These may include support, payment processing, and even \u201ccustomer service\u201d to assist those using their products.<\/p>\n While early cyberattacks followed a “spray and pray” model in which perpetrators rapidly and randomly distributed malicious code to numerous targets without specific selection criteria, today\u2019s cybercriminals are more precise in both their intentions and their targets. And, despite Hollywood stereotypes, they are generally not hobbyist hackers working from their parents\u2019 basements.<\/p>\n Modern cybercriminals are often nation-state actors or members of organized crime syndicates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified<\/a> China, Russia, Iran, and North Korea as state sponsors of cybercrime.<\/p>\n As cyberattacks have become more sophisticated, their perpetrators have become more difficult to locate. One federal indictment<\/a> illustrates the challenge law enforcement faces in pinpointing cybercriminals\u2019 locations with its reference to its subjects\u2019 positions \u201cin or around Russia, Belarus, Ukraine, and elsewhere.\u201d<\/p>\n The indictment\u2019s reference to three countries once affiliated with the Soviet Union is neither unusual nor incidental. The Carnegie Endowment for International Peace has observed<\/a> that the blind eye turned by some former Soviet states has allowed cybercriminals to operate within their borders with relative impunity.<\/p>\n This geographical concentration of cybercriminals in Eastern Europe means that sociopolitical developments in the region can impact cybercrime activity. For example, the Russian invasion of Ukraine prompted a Ukrainian researcher to leak<\/a> information related to the Russian based Conti gang<\/a>. And some cybersecurity experts have attributed<\/a> a brief dip in ransomware crimes in 2022 to the conflict in Ukraine.<\/p>\n The Department of Health and Human Services (HHS) advises any healthcare organization hit with a ransomware attack to contact its local FBI or United States Secret Service field office. While language in the ransomware might threaten consequences for contacting the police, IBM Security has found<\/a> that excluding law enforcement from resolution of a ransomware attack is likely to result in higher costs as well as longer breach lifecycles. Attackers may represent themselves as being the only path for decryption of files, but the FBI and other law enforcement agencies are often able to offer decryption keys<\/a>.<\/p>\n Managing ransom demands can be fraught with pitfalls. While paying ransom is not illegal, federal agencies, including the FBI, CISA, and HHS, recommend against complying with ransom demands. Importantly, although paying ransom may not be a crime, engaging in financial transactions with any individual or entity\u00a0 on the U.S. Department of the Treasury\u2019s Office of Foreign Assets Control\u2019s (\u201cOFAC\u201d) sanction lists<\/a> is.<\/p>\n And cybersecurity experts say that paying ransom doesn\u2019t guarantee protection from future attacks. One study<\/a> found that 80% of organizations paying ransom were victims of subsequent attacks.<\/p>\n The increasing frequency of and growing costs associated with cyberattacks have made purchasing cyber insurance<\/a> a requisite part of doing business. They have also made insurance companies more circumspect drafting policy language and extending coverage.<\/p>\n Some of the world’s best known insurance firms settled a multimillion-dollar dispute last week with biopharmaceutical giant Merck, which exemplifies the complications of cybercrimes.<\/p>\n<\/div>\n In 2017, Merck was one of dozens of companies impacted by the NotPetya malware attack. Launched by the Russian Main Intelligence Directorate (GRU) in an effort<\/a> to disrupt Ukraine\u2019s financial system and cripple the country\u2019s infrastructure, NotPetya incorporated leaked code<\/a> from the U.S. National Security Administration.<\/p>\n Although NotPetya alerted victims that a decrypting key was available in exchange for a nominal bitcoin payment, the site associated with payment was easily taken down<\/a>. In a world that depends upon misrepresentation, NotPetya was not even the ransomware it purported to be. It was pure malware. And it was alarmingly effective, eventually causing $10 billion damage worldwide.<\/p>\n Merck saw at least 40,000 computers in its global network infected by NotPetya. An astonishing one-quarter<\/a> of these were impacted within the first 90 seconds of exposure. The massive disruption to the company\u2019s manufacturing, research and development, and sales operations ultimately resulted in an estimated $1.4 billion in damages.<\/p>\n When Merck filed insurance claims under several \u201call risk\u201d property policies, its insurance companies denied payment citing \u201cHostile\/Warlike Action\u201d exclusions in their policies. Merck sued the insurers for payment. In December 2021, a court ruled in Merck\u2019s favor. A New Jersey appellate court also ruled<\/a> in Merck\u2019s favor in May 2023, noting that \u201cexclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action.\u201d<\/p>\n The case was slated for review by the New Jersey Supreme Court last week when the parties announced a confidential settlement on January 3.<\/p>\n For insurers, the Merck case has been a cautionary tale highlighting how extraordinarily expensive cyberattacks can be. Many, including Lloyds of London<\/a>, have updated their policy language regarding cybercrime executed by state actors.<\/p>\n They have also increased their rates. Testifying before the Senate Homeland Security and Governmental Affairs Committee, Kate Pierce, the Senior Virtual Information Security Officer of Fortified Security, said<\/a> that \u201cskyrocketing premiums, lower limits, and increasing requirements\u201d were putting cyber insurance coverage out of the reach of many organizations, especially rural hospitals.<\/p>\n The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) established standards for preventing and protocols for managing healthcare entities\u2019 breaches of PHI. But some argue<\/a> that \u201cHIPAA\u2019s dual focus on privacy and security, which can create a misalignment of incentives\u201d in a changing digital landscape.<\/p>\n HHS specifies<\/a> that ransomware and malware attacks qualify as security incidents under HIPAA\u2019s Security Rule. If PHI is compromised as the result of a cyberattack, the incident may meet the threshold of a\u00a0 breach<\/a>, and healthcare organizations must comply with HIPAA\u2019s Breach Notification Rule. This would include notifying both HHS and impacted individuals, as well the media in cases affecting over 500 people.<\/p>\n Under the HITECH Amendment<\/a>, which was signed into law in 2021, HHS \u201cmay reduce fines and penalties for violations of certain federal privacy standards for health information if an entity subject to those standards has adopted particular cybersecurity practices.\u201d<\/p>\n Section 405(d) of the Cybersecurity Information Sharing Act (CISA) of 2015 tasks HHS with the enhancing cybersecurity in the healthcare industry. This includes leading a public-private partnership to develop and regularly update practical, consensus-based cybersecurity guidelines and best practices. HHS\u2019s 405(d) Program<\/a> seeks to align the healthcare sector’s security strategies with the federal government’s broader cybersecurity approach, with input<\/a> from the Department of Homeland Security and threat hunting guidance<\/a> from the National Security Administration. This collaboration has produced the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP)<\/a> publication, which offers a comprehensive framework for healthcare organizations to mitigate cyber threats.<\/p>\n To succeed, enhancing cybersecurity in healthcare must be a shared responsibility involving government agencies, industry organizations, and individual companies and providers. Every member of the sector can benefit from standardized cybersecurity measures, financial support, and collaborative efforts.<\/p>\n Stirling Martin, the Chief Security and Privacy Officer and Vice President of Epic<\/a>, whose products include the patient portal My Chart<\/a>, told the Senate Homeland Security and Governmental Affairs Committee that he believes<\/a> that the federal government should establish a minimum threshold for security best practices in healthcare. He also called for establishing a legal safe harbor for organizations that meet a defined benchmark of security.<\/p>\n Meeting minimum standards could be costly and would present an additional burden, especially for critical access and rural hospitals. Achieving a consistent standard of security in U.S. healthcare may require federal subsidies and rethinking\u00a0incentives \u2014 which could well be justified, given the stakes.<\/p>\nA growing problem<\/strong><\/h3>\n
The process<\/strong><\/h3>\n
The perpetrators<\/strong><\/h3>\n
Advising law enforcement and paying ransom<\/strong><\/h3>\n
\u00a0<\/strong>Insurance considerations<\/strong><\/h3>\n
HIPAA concerns<\/strong><\/h3>\n
Going forward<\/strong><\/h3>\n