Home > Insights > Blogs > Health Law Checkup > Responding to ransomware attacks: A guide for health care providers

Responding to ransomware attacks: A guide for health care providers

As if data privacy and HIPAA concerns were not enough for health care entities to fret over, enter another data threat that has already caught many health care systems off guard – ransomware attacks.

Ransomware is a virus that scours machines and networks to encrypt files so that the victim has to pay the attacker a ransom (in BitCoin, an anonymous digital currency) to receive a decryption key that unlocks the files. It’s a serious matter about which the FBI has issued warnings, noting that entities with highly sensitive data – like health care records – are most vulnerable. Ransomware can affect individual computers, servers or whole systems and typically infiltrates systems via a malicious email containing a corrupting link or attachment.

Recently, the Kansas Heart Hospital was in the news as a ransomware victim. Even though it forked over one payment to get the data back, the attacker demanded a second ransom, which the hospital refused to pay. Another attack in March severely crippled MedStar Health, which operates 10 hospitals in the Baltimore-Washington, D.C. area, requiring the health system to turn away patients or treat them without critical computer records, according to the Washington Post.

Like all cybersecurity threats, the risk of a ransomware attack cannot be eliminated. But the health care industry is not defenseless. With careful planning and a cybersecurity breach response plan, any lasting damage from an incident can be substantially reduced by planning before a crisis unfolds. To that end, Thompson Coburn’s cybersecurity practice offers the following guidance to health care entities targeted by ransomware attackers:

  1. Do not turn off the affected machines. Instead, isolate them from the rest of the network by unplugging them from the network. Turning off the affected machines can result in losing valuable forensic data that can help determine how the attack occurred, whether information contained in the affected files was exfiltrated or accessed, and help determine whether the attacker may have accessed the system.

  2. Do not erase/scrub/wipe/scan or clean the affected machines until there has been a forensic image made of the machine with the active infection. Maintaining a viable forensic copy of the affected machine is important for investigatory purposes.

  3. Provide the malware definition to the anti-virus/anti-malware provider and obtain an updated definition file. Scans of the entire network, including all end points, should be run using the updated definitions.

  4. If the organization believes it has recent, clean backups of the affected machine(s), ensure that the backup is thoroughly scanned for any malicious activity. Many times ransomware will exist in a system for a period of time before it executes, meaning that the backup could be infected, and the organization will have the same problem.

  5. If there are no backups of the encrypted files, most likely the only way to gain access to those files again is by paying the ransom. Remember that this is a business for the hacker.

  6. Ensure that all logs currently available are maintained – IIS logs, firewall logs, etc.

Responding to a ransomware or any other cyber event can be a daunting process. Our firm’s cybersecurity practice helps organizations prepare for and respond to cybersecurity breaches and wage an aggressive defense should an incident result in litigation by customers or regulators.

Melissa Ventrone is a partner and chair for Thompson Coburn's cybersecurity practice and Aleksandra Vold is an associate in the practice.