Compliance suggestions for mitigating ransomware attacks, aftermath

In light of a major insurance company recently being hit with ransomware, the importance of protection, detection, and correction cannot be over emphasized.

Last month, a Physicians Practice article of mine highlighted the surge in ransomware attacks over the past year. In light of CNA’s, the seventh largest commercial insurance company, announcement that it “sustained a sophisticated cybersecurity attack [Phoenix Cryptolocker]” which “forced [it] to take systems offline and temporarily shutter its website” highlighting some key items that all persons should have in place when formulating ransomware policy and procedures is the focus of this article.

In March, the FBI Phoenix Field Office issued a warning about ransomware attacks, which are “a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.” These attacks are becoming increasingly sophisticated, often occur at night and on the weekends, and may also involve state actors. This is relevant because, as the checklist below reveals, one of the primary steps is to contact law enforcement before paying a ransom.

The FBI recommends never paying the ransom, as there is no guarantee that the scammer will send you the decryption key. Beyond that, the money you pay may be used to fund organized crime activity or acts terrorism while encouraging the future criminal activity by these cyber thieves.

In light of the uptick in and increasing severity of ransomware attacks, the following items should be considered as part of any ransomware checklist:

Item

Prevention

Post-Attack (Detection & Correction)

Comprehensive Policies and Procedures

Contact the FBI and other relevant law enforcement (ic3.gov)

Adequate technical, administrative, and physical safeguards

Contact supervisor and IT if detected by an employee.

This list is not meant to be comprehensive; however, it is a good starting point for any organization. The costs to any healthcare provider, business associate, or subcontractor can be significant. In addition to government investigations and penalties, class action lawsuits are time consuming and financially significant. Overall, it is imperative to implement adequate safeguards to detect ransomware attacks and be ready to respond in the event that one happens.

About the Author

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.