Preparation and Response to a Ransomware Attack

Executive Summary 

Ransomware attacks pose a serious threat to healthcare organizations. These attacks have quickly become the most prominent type of malware and have impacted providers’ ability to provide crucial services. It is thus crucial that healthcare organizations understand the risks associated with ransomware attacks as well as how they should immediately respond when presented with such a threat.  

Recommended Actions  

• Ensure that your healthcare practice has a comprehensive incident response policy and procedures for dealing with a ransomware attack. 

• Ensure that your IT vendor has implemented detection measures to identify ransomware attacks and make certain that staff members understand these detection measures. 
• Build a post-incident response procedure and appropriately train staff members on how to respond to a ransomware attack. 

It’s 7 a.m. and your organization is starting the workday. An employee turns on their computer and, instead of their normal desktop, they see a message saying the files are encrypted and no longer accessible. The message states that the only way to recover the files is with a decryption key and includes instructions on how to submit payment. It’s a ransomware attack.  

If your organization suffers a ransomware attack, MagMutual recommends taking the following steps immediately:  

Step 1: Record details of the ransom note and disconnect the affected device from the network. 

Take a picture of the ransom note or write down exactly what it says, as it may contain important information for your IT vendor. Then, if possible, disconnect the device from the network instead of shutting the device down. Disconnecting might prevent the ransomware from finding backups and spreading throughout the rest of the network, whereas turning off the affected device could cause valuable forensic data to be lost. Data backups should also be secured and taken offline until IT can assess the situation. 

Step 2: Notify your staff and implement downtime procedures. 

The practice administrator should immediately notify the entire team and prevent others from logging into the system. Alert all employees and physicians of the situation so they can take precautionary measures to limit any spread to other devices. During this time, use “offline/system downtime” forms and transition to paper documentation/charting consistent with your organization’s business continuity plan.  

Step 3: Call your IT vendor to alert them of the attack. 

It’s important to have your IT vendor’s phone number saved and easily accessible. IT vendors can conduct a full forensic analysis of your system to determine how the hacker accessed the system as well as the type of data removed, if any. Your IT vendor can also ensure the ransomware hasn’t spread and will help you manage the current situation and make improvements for the future.  

Step 4: Notify your local FBI field office. 

Though the FBI strongly recommends reporting ransomware attacks, many still go unreported. Notifying law enforcement about the incident may help you and other healthcare organizations avoid attacks in the future. Plus, if law enforcement can locate your specific attacker, there is a chance your files can be decrypted and released without cost. You can find your local FBI field office here.  

Step 5: Contact MagMutual or other insurance carrier concerning your cyber liability coverage.  

MagMutual’s industry-leading Cyber Plus® policy provides comprehensive cyber liability coverage in all areas of cyberattacks. If you have this protection through MagMutual, please immediately contact us. Our team can provide your organization guidance on what to do. Your cyber liability policy may include coverage for a ransom payment, forensic investigation, notification, media release, call center and credit monitoring. If you don’t have MagMutual’s Cyber Plus policy and are without coverage for the ransomware event, we recommend you work with your IT vendor. 

Please note: if unsecured PHI data was breached during the attack, you may have reporting obligations under HIPAA. A forensic IT investigation and consultation with MagMutual can help you make that determination. 

Step 6: Keep everyone in your organization informed while the issue is being resolved. 

Provide consistent, regular updates to all employees. Since responding to a ransomware attack is a fluid situation, you’ll need to update clinicians, staff and patients at different points in the process. You should decide who to contact for updates, when and how often. 

Step 7: Consult with appropriate parties and determine whether to pay the ransom. 

Many organizations make the decision whether to pay a ransom in consultation with the FBI, their IT vendor and insurance carrier. It’s very important to verify who will be receiving the ransom payment. The U.S. government maintains a list of sanctioned organizations and paying a ransom to a person or entity on the list may be illegal. For example, if the ransom message demands payment in the cryptocurrency Monero, it is likely the hacker is on the sanctioned list because of an affiliation with a terrorist organization or other threat to the United States. 

In addition, HHS and the FBI advise against paying the ransom in most cases. Payment does not guarantee that your files will be unencrypted and returned, and your healthcare organization runs the risk of further extortion because the hacker knows you will pay. 

Additional Resources 

• HealthcareITNews – So You've Been Hit with a Ransomware Attack. What Now? 
• DOJ – Attorney General William P. Barr Announces Publication of Cryptocurrency Enforcement Framework 
• Reuters – Companies May be Punished for Paying Ransoms to Sanctioned Hackers – U.S. Treasury 
• Marsh – Ransomware: Remove Response Paralysis with a Comprehensive Incident Response Plan 

Lessons Learned 

• Regularly back up your practice’s data. Ideally, backups should be kept on an external hard drive.  
• Document all communications related to the ransomware attack and maintain copies of this documentation in one location. 
• Conduct annual employee training regarding cybersecurity risk liability and how to mitigate these risks. 

Potential Damages 

Inappropriate responses to a ransomware attack could open the door to multiple types of violations and potential liability. The risks associated with such an attack range from HIPAA violations and medical malpractice to the False Claims Act. The frequency of such attacks is moderate and these attacks can have serious implications and costly damages for healthcare practices.