Hospital and Healthcare Company Ransomware Attacks Increasing During COVID-19 Pandemic

By James P. Melendres, Aloke S. Chakravarty, and Rebecca E. Eckert-Fong

On April 4, 2020, Interpol issued a warning to hospitals and healthcare companies at the forefront of the COVID-19 pandemic that cybercriminals are targeting them with ransomware attacks.  Cybercriminals are using ransomware attacks to lock hospitals and healthcare companies out of critical systems while they fight the pandemic in order to extort ransom payments. 

Interpol’s “Purple Notice” was disseminated to all 194 of its member countries and advised that it had “detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.”  Interpol’s Cybercrime Threat Response team is monitoring COVID-19 cyberthreats and working closely with its member countries, cyber experts and targeted organizations to advise and mitigate the risks.

Interpol advised that the ransomware is primarily spread via email communications.  Accordingly, it recommended that hospitals and healthcare companies ensure they are taking appropriate prevention and mitigation efforts to prevent a ransomware attack.  This includes: only opening emails or downloading software/applications from trusted sources; not clicking on links or opening attachments in emails from unexpected emails or unknown senders; protecting from spam which could be infected; ensuring the latest anti-virus software is installed and running on all systems and mobile devices; and using strong, unique passwords and updating them regularly. 

Further, to minimize disruption, Interpol encouraged hospitals and healthcare companies to regularly backup essential files and store those essential files separate from their main system(s).

The exploitation of the COVID-19 crisis comes at a time when ransomware attacks against healthcare companies had already been increasing.  New variants of ransomware have been deployed and, in some attacks, threat actors have exfiltrated data in addition to encrypting it in place.  In other cases, attackers have targeted third-party managed service providers who may be responsible for securing sensitive healthcare data.  The increased targeting of hospitals and healthcare companies presents not just a technical threat, but a legal one as well.  As we have previously reported, the Office of Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) has previously issued ransomware-related HIPAA guidance, which includes its position that “when electronic protected health information ("ePHI") is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the HIPAA Privacy Rule.”

Further, a breach of PHI is presumed to have occurred, “unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised’, based on the factors set forth in the Breach Notification Rule.”  Section 7 of the guidance provides an explanation of the risk assessment that covered entities and business associates would need to undertake to demonstrate that there is a “low probability that the PHI has been compromised.”  If a breach has occurred, then the entity must comply with the applicable breach notification provisions, including notification to (1) affected individuals without unreasonable delay, (2) the Secretary of HHS, and (3) the media (for breaches affecting more than 500 individuals), per HIPAA breach notification requirements set forth in 45 C.F.R. §164.400-414.

In addition to the defensive measures recommended in Interpol’s Purple Notice, for companies in all sectors, maintaining a risk-tailored cyber insurance policy; maintaining up-to-date and segregated backups; continuing periodic penetration testing and auditing; establishing and refreshing relationships with federal law enforcement and third-party data protection providers, including law firms and cyber-forensic companies; and preparing and updating an incident response plan and an information security policy are all protective measures that could make your company more resilient to the inevitable increase in ransomware attacks.