A New Ransom: Hackers Say Pay Up or We Will Release Your Data
Published On December 20, 2019
Blog Post by Brian Selfridge, ITRM Partner at Meditology Services
A recent publication from KrebsOnSecurity highlights an alarming shift in cybercriminals approach to getting paid for successful ransomware infections. Operators of the new strain of Maze ransomware are starting to release sensitive information of ransomware victims that fail to pay up.
Healthcare entities subject to strict HIPAA breach notification requirements may end up with a double-whammy of inaccessible Electronic Health Records and regulatory compliance action. The publication of ransomware victims and their protected information also ensures these organizations will make headlines and be forced to grapple with lasting damages to reputation and patient trust.
These shifts in cybercriminal tactics come at a time when healthcare entities are struggling to keep up with protecting life-critical systems including medical devices from an onslaught of malware and hacking attacks. Healthcare is 30% more likely than the financial industry to have sensitive assets stolen, 17% more likely to experience a security incident related to employee errors, and 20% more likely to experience an incident related to the misuse of privileged access.
The risks of breach of sensitive information are eclipsed by potential impacts to patient safety for medical devices that malfunction or become unavailable at critical moments of care due to ransomware attacks. The 2017 WannaCry ransomware attack was a high-profile example of malware impacting medical devices on a large scale. Although the majority of impacted health systems were in the United Kingdom, the attack served as a warning sign to health systems across the globe that security protections for medical devices remain woefully insufficient.
We recommend healthcare entities take the following measures to proactively protect against evolving ransomware attacks:
- Invest in maturing patch management processes to proactively detect and patch known vulnerabilities
- Segment or isolate unpatched or vulnerable systems and limit access to minimum necessary functions
- Consider hiring third party staff augmentation resources to get caught up on patching of critical systems including medical devices
- Explore emerging IoT and IoMT asset discovery and protection solutions
- Conduct a ransomware exposure assessment including a review of systems and applications most vulnerable to ransomware infection, protection capabilities, and incident response readiness
- Develop and implement business continuity and disaster recovery plans including a primary focus on data backup and recovery capabilities
- Develop incident response playbooks specific to ransomware attacks and conduct routine tabletop exercises to test these plans
The Office for Civil Rights (OCR) has also advised in 2019 that ransomware infections must be documented as reportable breach events:
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized 6 See also Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 5 individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
The combination of the exposure of company information by cybercriminals and reportable breaches for ransomware attacks mean that the days of sweeping ransomware infections under the rug as low-level malware attacks are soon coming to an end.
 KrebsOnSecurity. (2019). Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
 Verizon. (2016) 2016 Data Breach Investigations Report
 Syal, R. (2018, Feb. 5), Every NHS trust tested for cybersecurity has failed, officials admit. The Guardian
 U.S. Department of Health & Human Services. (2019). FACT SHEET: Ransomware and HIPAA