U.S. Cybersecurity Organizations Issue Warning on Ransomware Activity Targeting Healthcare with Guidance Applicable to All Industries

29 October 2020 Blog
Authors: Eileen R. Ridley Aaron K. Tantleff Steven M. Millendorf
Published To: Privacy, Cybersecurity & Technology Law Perspectives Coronavirus Resource Center:Back to Business Health Care Law Today Dashboard Insights Manufacturing Industry Advisor

On October 28, 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) issued a joint warning that they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The warning comes on the heels of what may be the earliest reports of a causal relationship between a ransomware attack and the death of a patient at a healthcare facility. In September, prosecutors in Germany launched a negligent homicide investigation after a patient at Dusseldorf University Hospital died following a ransomware attack that hampered emergency services. More recently, authorities linked the same incident to a ransomware attack in the U.S., impacting all 250 locations of a hospital chain headquartered in Pennsylvania, with additional hospitals and healthcare facilities facing current threats, several of which are being adversely affected by similar ransomware events.  

U.S. agencies believe that hackers are targeting the healthcare industry with the Trickbot malware and the Ryuk ransomware, with the intent to engage in “data theft and disruption of healthcare services.” Once a target is infected with the malware such as Trickbot, it is used to deploy the Ryuk ransomware. When targeted towards the healthcare industry, the malware and ransomware combination can disrupt critical healthcare services that are already taxed due to COVID-19 and facing increased cyber vulnerabilities due to the pandemic. While hospitals may have considered taking specific systems offline or spent time bolstering their systems and defenses, many are scrambling just to keep them up and running in light of the operational challenges presented by the  COVID-19 pandemic including the rapid scaling of the remote workforce and resulting security vulnerabilities such as a vastly expanded attack surface for such organizations. The warning provides technical details about the malware, which should be reviewed by system administrators and other IT professionals responsible for protecting the organization’s IT systems, particularly those in the healthcare space. 

While this warning was specifically directed at new threats targeting the healthcare industry, hackers have targeted other industries using similar, if not the same, methods with the sole intention of stealing data, extracting money, and disrupting the economy. Targeted industries include manufacturing, automotive, logistics, hospitality, and financial services, among others. The warning directs organizations to study CISA’s Ransomware Guide, which should be referred to by organizations of all types to help develop best practices to prevent, protect, and respond to a ransomware attack. 

The potential for disruption to safety-critical applications, such as medical and life-support systems, make healthcare organizations, including retirement communities, a high-value target for ransomware attacks. Faced with the inability to provide life-saving medical services, especially in the face of the COVID-19 pandemic, healthcare organizations may be tempted to pay the demanded ransom. However, organizations should be aware that the payment of the ransom does not ensure that they will be able to decrypt the data or that the system will not be left compromised with malware, allowing for a later ransomware attack or compromise of data. Furthermore, in some cases, the payment of a ransom may be considered aiding terrorist activities or otherwise violate federal law, leading to governmental or regulatory sanctions and increased potential liability. Therefore, organizations are recommended to take the steps outlined in the Ransomware Guide to help the organizations defend against ransomware before it strikes and to recover the lost data if it does rather than pay the ransom. Organizations should also contact federal law enforcement agencies and determine if a cipher key is available for the particular strain of ransomware affecting the organization.  Such efforts may allow for decryption of their illegally encrypted files as well as avoidance of being forced to make a ransom a payment to the attackers. Organizations that cannot recover from a ransomware attack in a timely manner without paying the ransom should consult experienced legal counsel before making any payments to understand the potential liabilities and risks associated with making such a payment.

For more information about how to prepare for or respond to a ransomware attack, please contact the authors or your Foley relationship partner. 

Companies in all sectors of the economy continue to be impacted by COVID-19. Foley is here to help our clients effectively address the short- and long-term impacts on their business interests, operations, and objectives. Foley provides insights and strategies across multiple industries and disciplines to deliver timely perspectives on the wide range of legal and business challenges that companies face conducting business while dealing with the impact of the coronavirus. Click here to stay up to date and ahead of the curve with our key publications addressing today’s challenges and tomorrow’s opportunities. To receive this content directly in your inbox, and submit the form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.