Managing Ransomware Risk in Health Systems
This Briefing is brought to you by AHLA’s Hospitals and Health Systems Practice Group.
Copyright 2023, American Health Law Association, Washington, DC. Reprint permission granted.
(Published: April 11, 2023)
Mitchell J. Surface, Maynard Nexsen PC
Ransomware is the “fastest growing malware threat.” In 2022, attacks in health care increased by 328%, a study found. Another recent study reports that from 2016 to 2021, the “annual number of healthcare ransomware attacks more than doubled[,]” exposing the electronic personal health information (ePHI) “of nearly 42 million patients.”
Ransomware “refers to a type of malware[—malicious software—]used by attackers that first encrypt files and then attempt to extort money in return for the [decryption] key to unlock the files by demanding a ‘ransom.’” In the health care sector, it is defined as “malware that is designed to lock hospitals out of their patient records . . . with a simple ultimatum: pay up or permanently lose access to all of its patient information.” Hackers also use ransomware to destroy or exfiltrate data in conjunction with deploying other infectious malware.
Without adequate cybersecurity and disaster recovery and backup plans, a ransomware attack can be devastating to a hospital or health system (collectively, “health system”). In most cases, to regain access to ePHI and restart operations, paying the ransom is the only option. By doing so, however, a hospital or health system risks incurring monetary penalties if the ransomware group is sanctioned by the U.S. Treasury’s Office of Foreign Assets Control. The Federal Bureau of Investigation (FBI) discourages ransom payments but does not prohibit them. However, the FBI encourages reporting of ransom payments so it can provide assistance to victims and further investigate the hackers.
Those hospitals or health care systems employing prevention and response actions appear to be seeing success—decreasing from 85% of the victims paying ransoms in 2019 to only 37% in 2022. It is essential to have comprehensive security measures in place both to protect health system networks and connected devices and to ensure compliance under the Health Insurance Portability and Accountability Act (HIPAA) Security Rules and the U.S. Department of Health and Human Services (HHS) 2023 Cybersecurity Guide.
Looming Threat to Health Systems
A new era for health systems commenced in 2016 when they became a primary target of ransomware attacks. Two factors facilitated this development: (1) the magnitude of ePHI and (2) “the security holes in information technology (IT) systems.” The major security holes—or vulnerabilities—include fragmented infrastructures, legacy systems, employees, connected devices, and a large number of wireless applications.
Ransomware attacks impact not only hospitals and health systems, but also their Business Associates (BAs). A significant percentage of those attacks arise from external threats. However, internal threats—such as employee mistakes—are a factor as well. Indeed, a study found that 36% of health care organizations and 55% of BAs fall victim to breaches as a result of unintentional employee action.
Insufficient email security increases vulnerability to ransomware attacks, It has been reported that “over 75% [of health systems] do not use email scanning and filtering tools.” That omission is concerning considering “91% of ransomware attacks are the result of phishing exploits” through disguised emails. Many hospitals and health systems admit to not being vigilant, not investing in adequate technology, not hiring enough skilled IT security staff, and simply not providing the organization with a sufficient security budget to curtail or minimize breaches. Insufficient email security only serves to increase the struggle of a hospital or health system to protect itself from ransomware attacks and to mitigate the damages resulting from such attacks.
Health System’s Connected Medical Devices: Disruptionware
Health systems increasingly rely on connected devices in their operations. Hackers target those devices to effect large-scale operational disruption. “Disruptionware,” as some now call it, can almost bring a health care facility to its knees, compromising the integrity of ePHI and the interoperability of connected medical devices necessary to ensure seamless patient care. Such an attack may force a health system and all its facilities to cancel essential services, divert and transfer patients to other hospitals, and employ emergency backup or manually operated equipment to keep patients alive. Especially concerning is that a large number of connected devices “operate on outdated systems that leave these vulnerable endpoints open to attackers.” While new technology has improved data security, many entities cannot afford to replace their technology all at once and can only phase out outdated devices over time.
Illustrating the potential impact of disruptionware, 2020 saw the first deaths attributed to ransomware attacks. In one case, a newborn died because doctors allegedly failed to perform critical pre-birth testing due to a cyberattack on the hospital. Another 2020 ransomware attack forced a hospital to divert an ambulance, and the patient died while being rerouted to another hospital. Due to the increased threat and risk of disruptionware, the federal government recently began increasing its focus on health system cybersecurity.
Earlier this year, Section 3305 of the Consolidated Appropriations Act of 2023 amended the federal Food, Drug, and Cosmetic Act by adding Section 524B, “Ensuring Cybersecurity of Devices.” Section 524B authorizes the Food and Drug Administration (FDA) to require medical device manufacturers to develop and maintain updates and patches “to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits[.]” The new section applies to medical devices defined as a “cyber device” that “has the ability to connect to the internet.” By designating the manufacturers of medical devices as the parties responsible for monitoring, identifying, and remediating the cybersecurity risks posed by their products, Section 524B and similar laws enable health systems to focus their resources more effectively.
Applicability of HIPAA Security Rule
Under HIPAA, a health system—covered entity (CE) or its BA—must implement “security measures that can help prevent the introduction of malware, including ransomware.” Under the Security Rule, health systems are required to conduct a risk analysis “of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI the entities create, receive, maintain, or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level.” The Security Rule establishes only the floor for the security of ePHI and additional standards are strongly encouraged and looked at favorably in the event of a breach. Moreover, “HHS considers any successful ransomware attack to be a breach of [ePHI], and therefore requires the covered entity to make a report to HHS under HIPAA.”
As a result, health systems must ensure that ePHI is protected on the front end through the use of encryption in accordance with the HIPAA Security Rule and HHS guidance and additionally have a contingency plan to deal with a breach in the event it occurs, or, more appropriately, when a breach occurs. Health systems must be proactive in developing an adequately encrypted network as well as a contingency plan to address a breach. These efforts will not only decrease the cost of a breach but will also mitigate liability under the HIPAA Security Rule.
Leveraging HHS Cybersecurity Framework Implementation Guide and NIST-CSF
Consistent with the increased government scrutiny in the health system cybersecurity space, HHS released a comprehensive guide in March 2023, the Cybersecurity Framework Implementation Guide, for implementing cybersecurity compliance in health systems. The purpose of the guide is to
help Health Care and Public Health sector organizations understand and leverage the [National Institute for Standards of Technology] Cybersecurity Framework’s [(NIST-CSF)] Informative References in their implementation of sound cybersecurity and cyber risk management programs, address the five Core Function areas of the NIST[-CSF] to ensure alignment with national standards, help organizations assess and improve their level of cyber resiliency, and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities.
The guide’s seven-step process comes down to:
- Determining a cybersecurity risk strategy and taking inventory.
- Selecting cybersecurity risk standards.
- Creating goals and targets using NIST’s Framework(s).
- Conducting a risk assessment.
- Identifying the gaps between the assessment’s results and the targets created in step 3.
- Evaluating the gaps identified, performing a cost-benefit analysis, and selecting actions to address the identified gaps.
- Implementing the action plan, which includes post-implementation tracking, monitoring, and evaluating.
The rise of ransomware and disruptionware means that health systems must establish or update policies for preventing and handling security incidents and breaches, including: (1) how and when to disclose relevant information to internal and external stakeholders; and (2) planning and resource management. Those policies must include cybersecurity training for the incident/breach response team, as well as role-appropriate training for employees.
The key to successful cybersecurity risk management includes inclusion, implementation, and instruction across all stakeholders, employees, systems, and devices. The health care sector, deemed a “critical infrastructure sector” and an “essential service” during the COVID-19 pandemic, is crucial to public health and safety. As such, it is essential for hospitals and health systems to implement sound cybersecurity programs, policies, and procedures.
 U.S. Gov’t Interagency Guidance Document, How to Protect Your Networks from Ransomware, at 2, https://www.justice.gov/criminal-ccips/file/872771/download [hereinafter, “Interagency Guidance”].
 Susan Kelly, Cybersecurity ‘more critical than ever’ in era of connected care, HealthcareDive (Jan. 25, 2023), https://www.healthcarecompliancebrief.com/edition/daily-aca-health-services-administration-2023-01-25/?open-article-id=22969215&article-title=cybersecurity--more-critical-than-ever--in-era-of-connected-care&blog-domain=healthcaredive.com&blog-title=healthcare-dive.
 Neprash HT, et al., Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021, JAMA Health Forum (2022); 3(12):e224873, at 1, https://jamanetwork.com/journals/jama-health-forum/fullarticle/2799961.
 Paul, III, D. P., et al., Healthcare Facilities: Another Target for Ransomware Attacks. Presented at the 54th Annual MBAA Conference, Chicago, IL. Marshall University, at 3 (Apr. 2018), https://mds.marshall.edu/cgi/viewcontent.cgi?article=1194&context=mgmt_faculty.
 Connor McLarren, Once More Unto the Breach: How the Growing Threat of Ransomware Affects HIPAA Compliance for Covered Entities, 15 Ind. Health L. Rev. 305, 306 (2018).
 Exfiltration is “[t]he unauthorized transfer of information from an information system.” NIST SP 800-53 Rev. 4, at B-7, Security and Privacy Controls for Federal Information Systems and Organizations (Apr. 2013), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
 Dep’t of Health and Human Servs. Office for Civil Rights, 2016 FACT SHEET: Ransomware and HIPAA, https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
 Paul, supra note 4, at 7-8.
 Ransomware Profits Decline as Victims Refuse to Pay Ransoms, HIPAA Journal (Jan. 25, 2023), https://www.healthcarecompliancebrief.com/edition/daily-aca-health-services-administration-2023-01-25/?open-article-id=22961262&article-title=ransomware-profits-decline-as-victims-refuse-to-pay-ransoms&blog-domain=hipaajournal.com&blog-title=hipaa-journal.
 Paul, supra note 4, at 3.
 Id. at 3-4.
 Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, Ponemon Inst., at 2, https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%20%26%20Data%20Security%20Report%20FINAL%206.pdf [hereinafter, “Ponemon Study”]; HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework, HIPAA Journal (Mar. 9, 2023), https://www.healthcarecompliancebrief.com/edition/daily-prescription-drug-pricing-ransomware-2023-03-09/?open-article-id=23249052&article-title=hscc---hhs-release-guide-to-help-healthcare-organizations-adopt-the-nist-cybersecurity-framework&blog-domain=hipaajournal.com&blog-title=hipaa-journal (hereinafter, “HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework”).
 Ponemon Study, supra note 15, at 2.
 Security Report: Health Care—Hospitals, Providers and more, Corvus Ins. (2020), https://info.corvusinsurance.com/hubfs/Security%20Report%202.2%20-%20Health%20Care%20.pdf.
 Jessica Davis, Cybersecurity in 2020: IoT Medical Devices, Ransomware, Legacy OS, HealthITSecurity (Dec. 2019), https://healthitsecurity.com/news/cybersecurity-in-2020-iot-medical-devices-ransomware-legacy-os.
 Maggie Miller, The mounting death toll of hospital cyberattacks, Politico (Dec. 28, 2022), https://www.politico.com/news/2022/12/28/cyberattacks-u-s-hospitals-00075638.
 See Jill McKeon, How The New National Cybersecurity Strategy Will Impact Healthcare Cybersecurity, HealthITSecurity (Mar. 3, 2023), https://healthitsecurity.com/news/how-the-new-national-cybersecurity-strategy-will-impact-healthcare-cybersecurity (declaring cybersecurity strategy for U.S. critical infrastructure, which includes the health care sector); Rachel V. Rose and Bob Chaput, Why ALL Health Care Organizations Must Care About SEC Proposed Cybersecurity Rule Changes, AHLA Health Law Weekly (Mar. 3, 2023) (proposing cybersecurity rules that may be applicable to hospitals and health systems).
 Consolidated Appropriations Act, 2023, Pub. L. No. 117-328 (2022), https://www.congress.gov/bill/117th-congress/house-bill/2617.
 See Section 524B(c). Food and Drug Admin., Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices Under Section 524B of the FD&C Act: Guidance for Industry and Food and Drug Administration Staff, at 2 (Mar. 30, 2023), https://www.fda.gov/media/166614/download.
 2016 FACT SHEET, supra note 7, at 1.
 Id. at 2.
 McLarren, supra note 5, at 314.
 2016 FACT SHEET, supra note 7, at 7. Although encryption is characterized as an addressable measure rather than required under the HIPAA Security Rule, for all intents and purposes it has become required.
 Dep’t of Health and Human Servs., Health Care and Public Health Sector Cybersecurity Framework Implementation Guide, at vi (Mar. 2023), https://aspr.hhs.gov/cip/hph-cybersecurity-framework-implementation-guide/Documents/HPH-Sector-CSF-Implementation-Guide-508.pdf.
 Id.; HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework, supra note 15.
 U.S. Dep’t of Homeland Security, Cybersecurity and Infrastructure Security Agency Critical Infrastructure Sectors, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors.
 Christine Mathias, What Businesses Qualify as an “Essential Service” During the Coronavirus Outbreak, Nolo, https://www.nolo.com/covid-19/what-businesses-qualify-as-an-essential-service-during-the-covid-19-outbreak.html#:~:text=Examples%20of%20Essential%20Businesses&text=Financial%20Services%2C%20including%20banks%2C%20accounting,veterinary%20care%2C%20and%20nursing%20homes.
About Maynard Nexsen
Maynard Nexsen is a full-service law ﬁrm with more than 550 attorneys in 23 offices from coast to coast across the United States. Maynard Nexsen formed in 2023 when two successful, client-centered firms combined to form a powerful national team. Maynard Nexsen’s list of clients spans a wide range of industry sectors and includes both public and private companies.
Chief Marketing Officer