February 14, 2022
Data Privacy & Healthcare Alert
Author(s): Sarah E. Swank, Tina Sciocchetti, Meredith D. LaMaster
Hospitals should act swiftly to protect vulnerable systems against LockBit 2.0 ransomware.
On February 4, 2022, the FBI released a cautionary report to hospitals warning of potential system compromises due to Lockbit 2.0 ransomware. In the midst of practitioner fatigue, labor shortages, and financial hardships caused by the COVID-19 pandemic, hospitals face the potential threat of losing control of internal operations, exposing patient data, and demands for significant ransoms to regain possession of their network. Ransomware is a form of malicious software, better known as malware, that denies users access to internal computer files, networks, and systems and, in some cases, results in exfiltration of data.[1] To regain network control and/or prevent data exfiltration, perpetrators demand victims pay ransoms within an allotted amount of time.
LockBit 2.0 utilizes numerous tactics, techniques, and procedures through its Ransomware-as-a-Service (RaaS) operations to create substantial defense and mitigation barriers. The ransomware infiltrates susceptible networks through insider and purchased access and unpatched vulnerabilities, among other mechanisms. After network access is gained, LockBit’s actors increase administrative privileges through publicly available tools. From there, the actors further utilize tools to steal data that is then encrypted. A ransom note with instructions on how to access the decryption software is left in all affected areas of the victim’s system. LockBit escalates threats by threatening to leak stolen data, which poses an additional, significant risk to hospitals due to HIPAA. The FBI’s warning comes despite LockBit’s assertions that it does not hack healthcare organizations.
A 2021 study conducted by Ipsos, a multinational market research and consulting firm, indicated healthcare systems are a common target for ransomware attacks, with hospitals accounting for 30% of all large data breaches.[2] It is estimated that these breaches alone cost hospitals $21 billion in 2020.[3] 48% of the 130 hospital executives surveyed by Ipsos experienced a shutdown of some sort in the prior six months due to an external attack.[4] Midsize hospitals faced more significant downtime and financial burdens, with shutdown times averaging almost ten hours, at a cost of $45,700/hour.[5] Larger hospitals experienced a somewhat smaller burden, with shutdown times averaging 6.2 hours and $21,500/hour.[6] Even with the uptick in ransomware attacks and staggering numbers associated with regaining control of their systems, more than 60% of hospital IT teams stated higher priority concerns, with less than 11% citing cybersecurity as a high priority.[7]
To help guard against ransomware attacks, hospitals should consider implementing the following preventative measures:
The FBI encourages anyone who believes they may be the victim of a ransomware attack to report information to their local field office. Hospitals may take a number of protective measures if they find themselves in the midst of an attack. The U.S. Secret Service recommends the following steps:
In addition, hospital personnel should be prepared to provide details to law enforcement regarding:
The HIPAA Security Rule requires covered entities and business associates to adopt policies and procedures to respond to and recover from ransomware infiltrations. This includes conducting frequent offline data backups and implementing a contingency plan with disaster recovery and emergency operations planning. Once an entity is aware, the Office for Civil Rights (sub-agency of the U.S. Department of Education) recommends implementing a security incident response plan to determine the scope of the incident, the origination, the duration, and how it occurred. Covered entities may have HIPAA breach notification requirements, which must be managed in response to a ransomware attack. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI (protected health information) has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.
The FBI does not encourage paying ransoms but acknowledges the significant burdens entities like healthcare systems may face if unable to operate as a result of a cyberattack. Whether a hospital decides to pay a ransom demand or not, the local FBI office should be notified and/or a complaint filed online.
Some say it is not “if,” but “when,” hospitals may be hit with a cyberattack. For some, it is happening more than once. These attacks are disruptive to operations, costly, and can impact patient care. As ransomware attacks continue to increase, it is imperative that hospitals invest in the necessary technology and infrastructure to prevent such potentially debilitating threats. Proper protocols and training will enhance preparedness and response. If attacks occur, hospitals should act fast to restore data and operations and comply with reporting obligations.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.