Ransomware attacks present growing threat for hospitals
Cyberattacks based on ransomware—hacking into a computer system and holding it hostage until the victim pays to regain access—are on the rise. In one recent case, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin after hackers locked the hospital out of its own files.
When most of us hear of a company being hacked, we think of traditional data breaches—the theft of personally identifiable information. Hackers can sell this information on the black market to fraudsters for use in familiar, identity-related schemes. Consumers whose personal information was stolen may then bring a civil suit against the company, as may government agencies that regulate data security.
Ransomware attacks, however, pose a more immediate, disruptive threat. Rather than steal data outright, ransomware hackers infiltrate the company’s computers and hold hostage the data on the machine—as well as all files that the computer directly has access to via a network—until payment.
A good offense is crucial
The good news is that a robust cybersecurity program can minimize a hacker’s chance of success. The FTC and others have highlighted best practices that companies can take to counter ransomware attacks. Although cybersecurity programs are best tailored to the specific circumstances of the company and its industry, companies should:
Limit and control access to sensitive data;
Ensure that data storage and networks use industry-tested and up-to-date data security software that would block attempts to breach networks;
Segment and monitor all networks, as hackers often infiltrate networks months before the attack;
Secure remote access to networks;
Implement a security awareness program that trains employees on safeguarding against cyber threats, including phishing attacks;
Perform annual tests of the network’s cyber defenses;
Back up data on a segregated or otherwise protected system that would be accessible in case a ransomware attack shuts it down; and
Ensure that vendors and other service providers that have access to networks implement their own reasonable security measures.
Although a robust cybersecurity program is no guarantee against either a traditional data breach or ransomware attack, such programs will not only minimize the damage a hacker can wreak, but also diminish any potential success of civil suits brought by consumers or government agencies.
If the hacker has stolen data as part of the cyberattack, state data breach notification laws may obligate the company to disclose the breach. With respect to HIPAA-covered entities and business associates, the Breach Notification Rule requires those entities to provide notification if protected health information is accessed.
With the increasing frequency of ransomware attacks, these issues will occur more frequently. Planning avoids hasty decisions that may aggravate the problem and, in turn, increases the chances of overcoming the attack.
Ronald Cheng and Danielle Gray are partners at O’Melveny and leaders of the Data Security and Privacy group. Matthew Sheehan is a counsel in O’Melveny’s Washington, D.C., office and a member of the Data Security and Privacy Practice. The opinions expressed in this article do not necessarily reflect the views of O'Melveny or its clients, and should not be relied upon as legal advice.