/ Print /

  • linkedin
  • Increase Font
  • Sharebar

    Ransomware attacks present growing threat for hospitals

    Cyberattacks based on ransomware—hacking into a computer system and holding it hostage until the victim pays to regain access—are on the rise. In one recent case, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin after hackers locked the hospital out of its own files.       

    ChengChengWhen most of us hear of a company being hacked, we think of traditional data breaches—the theft of personally identifiable information. Hackers can sell this information on the black market to fraudsters for use in familiar, identity-related schemes. Consumers whose personal information was stolen may then bring a civil suit against the company, as may government agencies that regulate data security. 

    Ransomware attacks, however, pose a more immediate, disruptive threat. Rather than steal data outright, ransomware hackers infiltrate the company’s computers and hold hostage the data on the machine—as well as all files that the computer directly has access to via a network—until payment. 

    A good offense is crucial

    GrayGrayThe good news is that a robust cybersecurity program can minimize a hacker’s chance of success. The FTC and others have highlighted best practices that companies can take to counter ransomware attacks. Although cybersecurity programs are best tailored to the specific circumstances of the company and its industry, companies should:

    • Limit and control access to sensitive data;

    • Ensure that data storage and networks use industry-tested and up-to-date data security software that would block attempts to breach networks;

    • Segment and monitor all networks, as hackers often infiltrate networks months before the attack;

    • Secure remote access to networks;

    • Implement a security awareness program that trains employees on safeguarding against cyber threats, including phishing attacks;

    • Perform annual tests of the network’s cyber defenses;

    • Back up data on a segregated or otherwise protected system that would be accessible in case a ransomware attack shuts it down; and

    • Ensure that vendors and other service providers that have access to networks implement their own reasonable security measures.

    SheehanSheehanAlthough a robust cybersecurity program is no guarantee against either a traditional data breach or ransomware attack, such programs will not only minimize the damage a hacker can wreak, but also diminish any potential success of civil suits brought by consumers or government agencies.

    If the hacker has stolen data as part of the cyberattack, state data breach notification laws may obligate the company to disclose the breach. With respect to HIPAA-covered entities and business associates, the Breach Notification Rule requires those entities to provide notification if protected health information is accessed. 

    With the increasing frequency of ransomware attacks, these issues will occur more frequently. Planning avoids hasty decisions that may aggravate the problem and, in turn, increases the chances of overcoming the attack.    

    Ronald Cheng and Danielle Gray are partners at O’Melveny and leaders of the Data Security and Privacy group. Matthew Sheehan is a counsel in O’Melveny’s Washington, D.C., office and a member of the Data Security and Privacy Practice. The opinions expressed in this article do not necessarily reflect the views of O'Melveny or its clients, and should not be relied upon as legal advice.

    Matthew J. Sheehan
    Matthew Sheehan is a counsel in O’Melveny’s Washington, D.C., office and a member of the Data Security and Privacy Practice.
    Ronald Cheng
    Ronald Cheng is a partner at O’Melveny and leader of the Data Security and Privacy group.
    Danielle Gray
    Danielle Gray is a partner at O’Melveny and leader of the Data Security and Privacy group.

    0 Comments

    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Follow Us On Twitter

    Find us on Facebook

    Latest Tweets Follow