On October 29, 2020, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) announced that pursuant to credible information by HHS, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), hospitals and healthcare providers are at an imminent risk of a cybersecurity attack. As a response to this looming threat, law enforcement is advising healthcare entities to implement best practices to avoid a cyberattack.
Specifically, CISA, HHA, and the FBI are predicting ransomware attacks. Ransomware is a type of malicious software that denies users access to targeted data. Hackers encrypt the data and hold it hostage until a random is paid. If the ransom is not paid, the hackers will permanently destroy all the data. Unfortunately for healthcare providers, the Department of Treasury recently announced that any entity that pays a ransom to get their data returned will be in violation of the International Emergency Economic Powers Act and will thus be subject to paying steep civil monetary penalties, not to exceed $250,000.
This puts providers in a precarious position, so CISA, the FBI, and HHS have come out with various references and guides to help prevent healthcare providers’ systems from being susceptible to a ransomware attack in the first place. Some of these preventive measures include: regularly backing up data, keeping data backups offline from the network, regularly changing passwords and avoid using the same password for different accounts, using two-step verification where available, regularly updating operating systems as soon as updates are available, and always having antivirus and anti-malware programs regularly scanning and updating.
Another extremely important ransomware mitigation tactic is to educate the end users of systems. Oftentimes, these attacks happen because an end user—such as an employee of a large organization—is susceptible to a phishing scam. As it relates to ransomware, phishing occurs when an end user clicks on a link, usually from an email, that introduces the ransomware virus to the system. Training employees to recognize suspicious activity and training them on what to do if they believe they have been hacked is an extremely important measure in mitigating ransomware attacks.
A ransomware attack can be extremely damaging to healthcare entities—particularly in the wake of the 2019 Novel Coronavirus (“COVID-19”) pandemic, wherein a significant amount of healthcare is now provided online. In fact, in response to COVID-19, telehealth has been temporarily expanded to cover a large number of services that were previously not permitted. A ransomware attack forces healthcare entities to restore their servers, which is an expensive feat. Also, pursuant to HIPAA requirements, the hacked entity must notify every single person whose data was compromised.
For over 35 years, Wachler & Associates has represented healthcare providers and suppliers nationwide in a variety of health law matters, and our attorneys can assist providers and suppliers in understanding best practices to keep your healthcare entity safe and secure from ransomware attacks. If you or your healthcare entity has any questions pertaining to healthcare compliance, please contact an experienced healthcare attorney at 248-544-0888 or wapc@wachler.com.