As 2021 unfolds, ransomware attacks appear certain to continue against hospitals, health-care providers, and other healthcare companies, forcing them to confront this dilemma.
Last October, the Federal Bureau of Investigation, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency issued a joint advisory describing the “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” posed by ransomware attacks. Led by several culprits, including ransom-based malwares Ryuk and Conti, these attacks leave hospitals and health-care providers with frozen infrastructures, stolen data, and the threat of data disclosure. Tragically, a 2020 ransomware attack in Dusseldorf even led to the death of a critically ill patient.
This joint pronouncement was released just as the Treasury Department’s Office of Foreign Assets Control (OFAC) unveiled an advisory announcing that those who pay or facilitate the payment of cyber ransoms may face civil and criminal penalties for doing so.
Collectively, these developments underscore and complicate the already substantial challenges hospitals and healthcare providers face in assessing and addressing cyber risks.
The Intersection of U.S. Sanctions Laws and Ransomware
U.S. sanctions laws have become an increasingly common tool for the U.S. to effectuate its national security, foreign policy, and economic objections. Administered by OFAC, federal laws broadly prohibit U.S. persons and entities from engaging in activities with individuals or entities in comprehensively sanctioned countries, such Iran, Cuba, and North Korea, or with individuals or entities listed on a U.S. sanctions list, including most notably OFAC’s “Specially Designated Nationals and Blocked Persons List” (SDN List).
Civil violations of sanctions laws are strict liability offenses, and criminal offenses involving willful violations can be punished by significant monetary penalties and potential incarceration.
These sanctions mechanisms make the geographic locations, associations, and identities of hackers and facilitators of ransom payments particularly important. For example, if a hacker ultimately receiving a ransom payment or their intermediary were in Iran, a U.S. company making a ransomware payment could be civilly liable for violating sanctions laws even if the company was unaware of the Iranian connection. The same company could also face criminal liability if it was aware of an Iranian connection and nonetheless chose to make the payment.
Navigating Ransomware & Sanctions Liability: How to Prepare
Although health-care companies suffering ransomware attacks have always been faced with a difficult choice, OFAC’s recent guidance makes the decision of how to handle ransomware risks even more challenging. All is not lost, however, as hospitals and health-care providers can take proactive steps to minimize the risk of ransomware attacks.
And even when a ransomware attack has already occurred, there are still proactive steps that companies can take to reduce their sanctions risk and avoid being punished a second time by OFAC for making a ransom payment.
Adequate Network Protection: Companies should perform routine and full-scale IT reviews in consultation with cybersecurity and IT experts to identify network vulnerabilities and tailor protective measures to the unique needs of the business.
Corporate Preparedness: Cybersecurity events often result from lapses in basic IT hygiene by network users. Companies can promote proper IT hygiene through awareness campaigns, empowering network users to spot and confront phishing attempts and suspicious websites before they do damage. Companies should also purchase cyber insurance and examine existing policies to ensure that scope and coverages are adequate to cover existing and future needs.
Cyber Incident Response Plans: Companies should maintain comprehensive cyber incident response plans, including those tailored specifically to ransomware attacks. A key component of these plans is the maintenance of updated backup data in separate and secure locations for use in quickly restoring damaged or frozen data.
Sanctions-Specific Preparedness: As a part of ransomware response plans, companies should consider identifying cybersecurity and legal counsel to consult on short notice if rapid ransom diligence, reporting, and law enforcement cooperation becomes necessary.
Companies that become ransomware victims can also take several steps to minimize sanctions risk.
Prompt Reporting: A company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement can be a significant mitigating factor if sanctions liability later arises.
Cooperation with Law Enforcement: Full and timely cooperation with law enforcement during and after a ransomware attack can be a significant mitigating factor.
Pre-Payment Due Diligence: Companies and their counsel should perform appropriate and documented due diligence before making a ransomware payment. When companies engage third parties to facilitate potential payments, victim companies may also be able to obtain a certification of OFAC compliance from the facilitator before submitting a payment.
Hospitals and health-care providers can confront the many challenges of ransomware by having a plan to respond to attacks when they occur. Just as important, the threat of ransomware underscores the importance of routine evaluation of network security. As the old adage holds: the best offense is a good defense.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Brian D. Frey is a partner with Alston & Bird and member of the White Collar, Government & Internal Investigations team. A former federal prosecutor for the Department of Justice, Frey focuses on representing financial institutions, major corporations, and individuals in white collar investigations.
Andrew J. Liebler is a senior associate with Alston & Bird in the firm’s Litigation & Trial Practice group. He focuses his practice on health care, privacy, antitrust, and complex commercial litigation.