Regulation of Medicine


Immediate Response to a Ransomware Attack

It’s 7 a.m. and your organization is starting the work day. An employee turns on their computer and, instead of their normal desktop, they see a message saying the files are encrypted and no longer accessible. The message states that the only way to recover the files is with a decryption key and includes instructions on how to submit payment. It’s a ransomware attack.

If your organization is hit with a ransomware attack, MagMutual recommends taking the following steps immediately:

Step 1: Record details of the ransom note and disconnect the affected device from the network.

Take a picture of the ransom note or write down exactly what it says, as it may contain important information for your IT vendor. Then, if possible, we recommend disconnecting the device from the network instead of shutting the device down. Disconnecting might prevent the ransomware from finding backups and spreading throughout the rest of the network, whereas turning off the affected device could cause valuable forensic data to be lost. Data backups should also be secured and taken offline until IT has the opportunity to assess the situation.

Step 2: Notify your staff and implement downtime procedures.

The practice administrator should immediately notify the entire team and prevent others from logging into the system. Alert all employees and physicians of the situation so they can take precautionary measures to further limit any potential spread to other devices. During this time, use “offline/system downtime” forms and transition to paper documentation/charting consistent with your organization’s business continuity plan.

Step 3: Call your IT vendor to alert them of the attack.

It’s important to have your IT vendor’s phone number saved and easily accessible. IT vendors can conduct a full forensic analysis of your system to determine how the hacker accessed the system as well as the type of data removed, if any. Your IT vendor can also ensure the ransomware hasn’t spread, and they will help you manage the current situation and make improvements for the future.

Step 4: Notify your local FBI field office.

The FBI strongly recommends reporting ransomware attacks, but many still go unreported. Reporting the incident to law enforcement may help you and other healthcare organizations avoid these attacks in the future. Plus, if law enforcement is able to locate your specific attacker, there is a chance your files can be decrypted and released without cost. 

Step 5: Contact MagMutual or other insurance carrier. 

  MagMutual’s industry-leading Cyber Plus® policy provides comprehensive coverage in all areas of cyber-attacks. If you have this protection through MagMutual, please immediately contact us. Our team can provide your organization guidance on what to do. Your policy may include coverage for a ransom payment, forensic investigation, notification, media release, call center, and credit monitoring. If you don’t have MagMutual’s Cyber Plus policy and are without coverage for the ransomware event, we recommend you work with your IT vendor.

Please note: if unsecured PHI data was breached during the attack, you may have reporting obligations under HIPAA. A forensic IT investigation and consultation with MagMutual can help you make that determination.

Step 6: Keep everyone in your organization informed while the issue is being resolved.

Provide consistent, regular updates to all employees. Since responding to a ransomware attack is a fluid situation, you’ll need to update clinicians, staff, and patients at different points in the process. You should decide who needs to be contacted for updates, when and how often.

Step 7: Determine whether to pay the ransom with consultation.

Many organizations make the decision whether to pay a ransom in consultation with the FBI, their IT vendor and insurance carrier. It’s very important to verify who will be receiving the ransom payment. The U.S. government maintains a list of sanctioned organizations, and paying a ransom to a person or entity on the list may be illegal. For example, if the ransom message demands payment in the cryptocurrency Monero, it is more likely the hacker is on the list because of an affiliation with a terrorist organization or other threat to the United States.

In addition, HHS and the FBI advise against paying the ransom in most cases. Payment does not guarantee your files will be unencrypted and returned, and your organization runs the risk of further extortion because the hacker knows you will pay.

Additional Resources


Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.