Cybersecurity and health care attorneys are on high alert after a spate of cyberattacks hit hospitals across the U.S., episodes they say underscore the need for strong security measures in the frequently targeted sector.
Medical providers should ensure they have multiple backups of critical systems, run through hypothetical attack scenarios, and refresh data recovery plans to reduce potential liability and keep systems running, attorneys say.
Multiple hospitals this week were hit by a “coordinated” ransomware attack that appeared to be financially motivated. The Cybersecurity and Infrastructure Security Agency, FBI, and Department of Health and Human Services issued an advisory Wednesday warning the health care industry of the “increased and imminent” threat of ransomware attacks, which lock up computers until a ransom is paid for a decryption key.
Amy Leopard, a health care and cybersecurity attorney at Bradley Arant Boult Cummings LLP in Nashville, said she’s seen an uptick in ransomware hits in the health care sector recently, especially among hospitals.
The nationwide shift to personal offices has increased those risks because employees now work on many different home networks that are less secure, she said. If another influx of coronavirus cases overwhelms hospitals, ransomware attacks could prove even more deadly.
“It can be a life-and-death scenario when systems go down,” Leopard said. “It’s critical that hospitals be able to share information about their patients across systems.”
Health care providers should go through “tabletop exercises” and work out hypotheticals in the event of a ransomware attack, said Melissa Krasnow, a privacy and data security partner at VLP Law Group in Minneapolis. That can help companies better address attacks when a crisis erupts, she said.
The FBI, HHS, and CISA don’t recommend paying ransoms, according to the advisory. Hospitals, however, are often under more pressure to pay even if it emboldens future attackers.
“If a patient’s life could be affected, you don’t want the worst to happen,” Krasnow said.
Health care organizations should stay up to date with these current ransomware attacks and follow guidance put forth by CISA, Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C., said.
Companies should also refresh their recovery plans and educate workers on phishing threats, which often provide a backdoor for attackers and have increased during the coronavirus pandemic, Finch said.
Standard cybersecurity protocols—such as frequently changing passwords and using secure networks wherever possible—shouldn’t be forgotten, said Dianne Bourque, a health care and privacy attorney at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C. in Boston.
“It’s important for people to understand that while a lot of the rules have relaxed, it doesn’t mean you get to ignore privacy and security,” Bourque said. “We know as practitioners in this area that enforcement goes on against providers who get it wrong.”
Leopard, the Bradley attorney, said she’s seen a “bifurcation” among providers. Many large hospitals and other health organizations already have sophisticated monitoring services, whereas smaller players may not have the resources to invest in those safeguards.
Both groups, however, should remain vigilant and invest in proper cybersecurity in the event hospitals become overwhelmed with another surge of coronavirus patients.
“Not only do they have enormous constraints at the moment, but they’re especially crippled with managing the virus and its financial consequences,” Leopard said.
In the past, hospitals were often unintentional victims swept up in wider cyberattacks, said Finch, the Pillsbury attorney. Recent ransomware hits underscore the worrisome trend of bad actors deliberately going after hospitals, he said.
Criminals will likely be emboldened by the recent attacks, and those threats won’t go away anytime soon, Finch said.
“It’s sobering but important for health care providers to understand that criminals are working to improve their tools,” said Bourque, the Mintz Levin attorney. “It’s easy to let your guard down when there’s something as big as the pandemic occupying your time.”
To contact the reporter on this story:
To contact the editor responsible for this story: Kibkabe Araya at firstname.lastname@example.org;