Hospitals Guard Against Ransomware Attacks Amid Coronavirus

March 20, 2020, 9:03 AM

Health centers are gearing up to guard against ransomware attacks and limit their legal liability as the new coronavirus outbreak raises the risk of the incursions.

Hospitals and public health authorities are fortifying back-up systems, boosting reliance on cloud data storage, and educating staff about phishing emails.

“Cybercriminals are generally remorseless,” said Kelvin Murray, senior threat researcher for cybersecurity firm Webroot. “If anything, we will only see an increase of attacks during a crisis such as this.”

Ransomware attacks, typically initiated through phishing schemes, cause mayhem for hospitals because attackers use encryption to block providers’ access to their own files. The attackers then demand digital currency payments in exchange for unlocking keys.

In 2016, Hollywood Presbyterian Medical Center in Los Angeles said it paid $17,000 in bitcoin to obtain a key.

Attackers may see health facilities as lucrative targets during the coronavirus pandemic as providers prepare to see large numbers of stricken patients, said John Hultquist, senior director of intelligence analysis at cybersecurity company FireEye.

The health care industry “is especially vulnerable to disruption right now,” Hultquist said. “A disruption to just the administrative layer could be disastrous.”

Healthcare facilities have reported 16 ransomware attacks this year through March 17, Boston-based Corvus Insurance said in a report. That compares with 20 in all of 2019, the report said.

Earlier this month, a ransomware attack hit Illinois’ Champaign-Urbana Public Health District. The district “luckily” had placed critical operations in the cloud, administrator Julie Pryde said in an email.

“We were able to continue services and emergency response to COVID-19,” Pryde said. “We were back up, fully restored and better protected in less than a week.”

Hospitals have been reaching out to security firms to minimize the risk of ransomware as the virus spreads, said Greg Touhill, president of AppGate, a cybersecurity company.

Providers are ensuring backup-systems are secure and educating staff about potential phishing emails, said John Riggi, the American Hospital Association’s senior adviser for cybersecurity and risk.

Enforcement Risk

Providers face an enforcement risk from federal regulators if lax security leads to an attack, said Reece Hirsch, co-head of Morgan Lewis’ privacy and cybersecurity practice. Federal rules require hospitals to have “reasonable security” to protect patient medical records, he said.

Regulators should approach data-breach enforcement with a measure of “reasonableness” during the coronavirus pandemic, Riggi said. They should weigh whether a hospital was doing the best it can, given the circumstances, he said.

The U.S. Department of Health and Human Services’ Office for Civil Rights enforces provider liability for a breach under the Health Insurance Portability and Accountability Act’s security rule.

The rule requires providers to implement a management process to identify threats, train employees on security, and limit access to sensitive data. A hospital would have to show there is a “low probability” that medical records were compromised in order to avoid notifying patients.

The Office for Civil Rights didn’t respond to a request for comment.

After a ransomware attack, health-care providers need to do a “breach analysis” to see if patients need to be notified, said Rose Willis, a healthcare attorney at Dickinson Wright PLLC.

Providers also should prioritize security based on risk, Murray said. “If an attack to a hospital brings down payroll, it will cause disruption,” he said. “But if an ICU unit is brought down, it will likely cost lives.”

Hospitals can limit their legal and security risk by preparing defenses against ransomware, said Colleen Brown, privacy and cybersecurity partner at Sidley Austin LLP.

“Knowing the granular details of a disaster recovery plan” can help hospitals get their critical systems back online to limit damage done by ransomware, Brown said.

To contact the reporters on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com; Sara Merken in Washington at smerken@bloomberglaw.com

To contact the editor responsible for this story: John Hughes at jhughes@bloomberglaw.com; Keith Perine at kperine@bloomberglaw.com

To read more articles log in. To learn more about a subscription click here.