Just a few weeks into 2018 and it is already clear that health care providers must continue to guard against ransomware attacks. Last week, Hancock Health, a hospital system in Greenfield, Indiana, paid a ransom of four bitcoins (approximately $55,000 at the time of the attack) in order to regain control of their hacked systems. During the attack, Hancock Health immediately took steps to shut down its network in order to isolate and contain the assault on its systems. Nevertheless, according to a press release, the system paid the ransom purely as a ‘business decision’ in order to avoid further disruption to the health system’s operations. Hancock Health has also reported that patient data was not compromised, and that life support technology and other critical hospital services were not affected by the attack. Regardless, the attack will certainly result in regulatory scrutiny for the health system. It also demonstrates that even small providers in the Midwest are targets for cyber-attacks from sophisticated, foreign-based criminal networks.
Ransomware attacks are part of an ongoing trend of cyber criminals targeting the health care industry. According to the FBI, hospitals are particularly sought after targets because their systems are rarely offline (which can delay software updates necessary to address vulnerabilities), and due to the highly sensitive and time-critical information stored on their systems, hospitals are more likely to pay a ransom. Providers across the country, from California to Indiana to Pennsylvania have faced such attacks, and notably, the National Health Service in Britain was crippled during the WannaCry attack in May 2017.
Health care providers must prepare to respond to such attacks. At a minimum, providers must continuously evaluate potential threats to their systems and take appropriate steps to address vulnerabilities. Under the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rules, health care providers are required to conduct periodic risk analyses to identify new and growing threats, and to take steps to address them. Under HIPAA, providers must develop written contingency plans to address identified vulnerabilities, including without limitation, redundancy plans for backing up and securing essential data and information. If an attack occurs, providers should have plans in place for evaluating and determining the scope of an attack, how the organization will continue operations in the face of such an attack, plans for retaking control of its systems or operating from backups, and recovery operations. Further, as a successful ransomware attack would constitute a data breach under HIPAA, providers must have procedures in place for conducting an appropriate breach analysis after such an attack and evaluating its reporting obligations to both regulators and to affected individuals under Federal and State law.
Frantz Ward can assist health care providers in preparing for ransomware attacks as required under Federal and State laws, including HIPAA, and responding quickly and appropriately should an attack occur. For further information, please contact Frantz Ward attorneys Craig Haran
or Bradley Reed