Use this button to switch between dark and light mode.

Copyright © 2024 LexisNexis and/or its Licensors.

Ransomware Issues in the Healthcare Industry

July 07, 2022 (30 min read)

By: Nathan A. Kottkamp, WILLIAMS MULLEN

This article discusses market trends in 2021 relating to disclosures of climate change risks and mitigation by public companies, which are intertwined with environmental, social, and governance (ESG) issues. 

RANSOMWARE IS THE CURRENT HOT TOPIC IN CYBER-security because its reach is essentially universal. Driving this trend, in economic terms, is that the value of having access to data often exceeds the price that could be assigned to the data itself, regardless of the industry. Because of the types of information it possesses, the healthcare industry is a particularly valuable and vulnerable target. This article discusses issues associated with ransomware attacks on healthcare institutions. It provides in-house and outside healthcare counsel, as well as compliance professionals, with a concise understanding of the mechanics of a ransomware attack and steps healthcare institutions can take to mitigate or prevent one. Furthermore, it explains how ransomware attacks intersect with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule and how HIPAA’s Security Rule can inform a healthcare institution’s ransomware response plan.

Overview of Ransomware Attack Methodologies

Given the ubiquity of digital operations, any entity with data—pretty much every organization in the modern economy—is a potential ransomware target. Complicating things further, cybersecurity teams are frequently playing catch-up to the tools that cybercriminals
are developing. Moreover, technology is one piece of the puzzle, but it is not the largest piece. The biggest factor is people. Indeed, human error, inattention, and gullibility drive most cyber incidents. In fact, at least one security analyst has concluded on two separate occasions1 that human error may be a contributing factor in 49%–95% of all data incidents. And, while human error may be reduced with various initiatives, it is sure to be a persistent threat.2

Because of this collection of factors, successful information management requires constant vigilance by entities in overseeing their personal and cultural operations. In other words, cybersecurity is not simply a technical matter.

Leveraging Fraudulently Obtained Information
Following a successful system compromise, cybercriminals have three key options for next steps:

  • Stealing and selling data
  • Establishing financial fraud schemes
  • Holding the entity hostage

Since the first two options often require considerable follow-up work and leave more detailed cyber footprints, the overall effort involved makes them less attractive for many cybercriminals. By contrast, with comparatively little effort, a cybercriminal can hold a target hostage by encrypting its data, preventing the target from accessing or using it.

Of course, the above options are not mutually exclusive. Although data may be locked as an initial matter to extract a ransom payment, the very same data subsequently may be sold or used for some sort of long-game fraud arrangement. As a result, entities may experience ransomware attacks, pay ransoms, obtain access to their data again, and resume normal operations, only to learn that the cybercriminals are still in their systems, are selling the stolen information, or are using the original information to perpetuate some sort of secondary fraud.

Use of Digital Currency

The evolution of digital currencies has accelerated underlying fraud. Among other things, the use of cryptocurrency substantially increases the ease of receiving ransom funds compared to traditional methods of exchanging or laundering large amounts of money. Cryptocurrency also makes it easier to sell stolen information on the dark web. Notably, the dark web consists of unindexed websites that are accessed via specialized browsers that inherently frustrate the ability to track transactions.

Size of the Attack

Matters of scale also impact how ransomware attacks are conducted. Because cybercriminals use the same basic technical tools and methods to compromise security systems regardless of target, they have an inherent incentive for aiming high and going big. Indeed, headlines abound with news about ransomware attacks that are massive and audacious. The widely publicized Colonial Pipeline ransomware attack, caused by a compromised password3 found on the dark web, crippled the supply of gasoline along the East Coast for six days in May 2021.

Conversely, small entities may be easier targets for straightforward get-in-and-get-out attacks. The frequency of such smaller attacks is difficult to measure. Companies likely do not report them for myriad reasons, including embarrassment and a sense that small incidents will not merit law enforcement attention. Thus, cybercriminals are incentivized to launch multiple small attacks in the hopes of staying undetected.

Heightened Risks for Healthcare Institutions

While any business can rightfully say that having swift access to its data is essential to its survival, in the healthcare context, swift access to data is often also essential to patient survival. In other words, aside from creating operational and economic challenges, ransomware attacks on healthcare entities put lives at direct risk of serious harm, including death. For example, without immediate access to health information, healthcare providers may face one or more of the following scenarios:

  • They may not be aware of a patient’s life-threatening allergy.
  • They may have to delay time-sensitive cancer treatment.
  • They may be unable to operate various essential pieces of equipment, including life support systems.

Significantly, an active case4 currently working through the courts expressly asserts causation between a ransomware attack and a baby’s death. According to the lawsuit, a multiday ransomware attack on Springhill Medical Center (Alabama) in 2021 compromised a wide array of the hospital’s systems, including its fetal monitors. The attack allegedly led to the hospital’s failure to detect complications with one of its pregnant patients, resulting in the baby’s death nine months after birth. Regardless of where this particular case lands, subsequent lawsuits undoubtedly will continue to test whether healthcare entities should have liability if their operations are compromised, and patient care is impacted as a result.

Value of Information

If the above issues relating to patient care are not troubling enough, there is a compounding issue with healthcare information: the value of health information in the criminal marketplace exceeds that of financial information. Whereas account numbers, passwords, and other financial information can be changed, health history and genetics are evergreen. Therefore, a ransomware attack on a healthcare institution could result in an operational disruption. But it could also lead to long-lasting fraud if the cybercriminals capitalize on healthcare data and operational systems as well as the underlying data within them.

For example, with patient-specific information, it may be possible to set up a fraud scheme involving phantom community-based services, which are difficult to track even when the services are real. Furthermore, cybercriminals may take advantage of intimate knowledge of an entity’s invoicing system to engage in long-term fraud in which real patient information is used to submit fictional claims. Depending on how aggressive the cybercriminals are, they may be able to operate undetected for a long time.

Sources of Data

Finally, hospitals and other large healthcare entities are often massive, with multiple service lines, diverse operational units, and fragmented data systems. This combination of factors can make it particularly challenging to maintain cohesive data governance practices. With weak data governance practices, it may be difficult to identify any particular system compromise and implement swift incident response. Without solid data governance, entities are effectively inviting false reimbursement submissions, fake supply chain invoicing, and payroll fraud, among other things.

For these reasons, cybercriminals have significant leverage to extract ransoms when they compromise healthcare information.

Mitigation and Prevention Strategies

Just as every person is at risk of an acute health issue that could arise with little warning, all entities should operate as if they are the next target.

Take Immediate Action

As a preliminary step, you should implement the following initiatives immediately and update them regularly:

  • Preventive. Repeatedly educate employees about the fundamental ways in which digital systems can become compromised, particularly how the majority of compromises involve basic gullibility and human error.
  • Operational. Maintain a robust system of backups, redundancies, and data segmentation to substantially reduce the impact of an attack.
  • Practical. Contract for robust cyber insurance coverage to help mitigate the costs of managing an attack.
  • Strategic. Have a plan regarding payment:
    • The maybe pay plan. If the entity anticipates a willingness to pay, it should consider, in advance, the following variables: the amount of the ransom, how it will assemble the funds, whether anyone in the organization has cryptocurrency experience, whether it will use a broker, whether it will attempt to negotiate the ransom amount, and its payout limit.
    • The probably not pay plan. If the entity plans not to pay, it should consider the following actions: its strategies for and alternatives to operating without the original data, what kind of messaging it will provide to patients and business partners while its systems are compromised, and its public image management if the ransomware attack becomes prominent in traditional or social media.

Of course, the entity should be ready to be dynamic and change the plan. To that end, it is wise to recall Mike Tyson’s apocryphal quip: “Everybody has a plan until they get punched in the mouth.” Without a doubt, a ransomware attack is certainly like a punch to the mouth and being nimble will be essential to avoiding a complete knockout.

Given the perpetual evolution of technology, routine maintenance and use of these strategies can make the difference between an attack resulting in a minor injury and a fatal blow.

Employ Third-Party Resources

Even the best internal cybersecurity team can benefit from seeking outside help after an incident. On the technical front, you should consider using third-party forensics teams. These teams can assist in the following ways:

  • Restoring systems
  • Identifying any latent risks
  • Implementing preventive measures

On the strategic front, however, expert and law enforcement recommendations and experiences vary. As a result, you might not obtain straightforward or consistent advice. Remarkably, even the FBI does not take a strong position; instead, per the National Cyber Investigative Joint Task Force,5 it offers passive guidance: “The FBI does not encourage paying a ransom to criminal actors.”

Reaching out to law enforcement is always a good idea, but you should be realistic in your expectations. In the Colonial Pipeline case, the Department of Justice6 was able to recover a significant portion of the ransom, but it is hard to imagine that government-assisted ransom recoveries will be the norm. Smaller entities, in particular, may find that there are limited law enforcement resources to assist with any recoupment efforts. Thus, while reporting matters to law enforcement may help address future threats across the industry, it may not actually help current victims. In this way, reporting may be akin to organ donation, where nothing can be done to bring back the patient, but some good can still come from the death.

To be sure, seeking strategic assistance is recommended, but you should realize that you may be faced with a range of options, each with its own limitations and drawbacks. Furthermore, some consultants may be unable to offer anything more than generic advice that requires considerable amounts of internal resources to make the advice actionable. Accordingly, you should perform your due diligence, and consult with internal experts, before retaining any outside assistance. Doing this will ensure that any chosen measures fit within your entity’s budget, culture, and operating structure.

Consider Whether Payment Will Resolve the Issue

Dealing with ransomware would likely be much simpler if the ransom payment always resulted in prompt system restoration with no lingering effects. Of course, the reality is far more complicated. Among other things, the paradoxical notion of being able to trust cybercriminals to honor their words further complicates the strategies for incident response.

In any situation, there is a significant risk that the cybercriminals will take a victim’s money but not return or release the ransomed data. A related risk is that paying a ransom in the first place may increase the likelihood of being a repeat victim. For example, cybercriminals may believe that payment once signals a willingness to pay again.

Furthermore, if too many cybercriminals fail to return or restore data, or launch too many subsequent attacks, victims may be more likely to behave as if their data is lost forever or that the infiltration will be a chronic issue. These scenarios reduce the overall utility of paying ransoms.

Put another way, ransomware can be like the situation of a virus that kills its host. Of course, with so many actors and the vast array of response options, even if only a fraction of all victims decide to pay a ransom, ransomware is likely to remain a threat for a long time.

HIPAA Breach Notification Rule Requirements

Healthcare entities must also understand their obligations to notify affected individuals following ransomware attacks. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has taken the position, in its ransomware Fact Sheet,7 that all ransomware incidents involving protected health information (PHI) must be evaluated under the HIPAA Breach Notification Rule. Under the Breach Notification Rule,8 an entity must notify affected individuals of any breach of their PHI unless the entity can show a low probability that the PHI has been compromised.9 Breaches are defined as any impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy.10 Notice to individuals typically must be made within 60 days of discovery of a breach.11 Significantly, although it is possible to analyze an incident under the Breach Notification Rule and conclude that it is not a breach, as discussed in the following section, it is inherently difficult to overcome the presumption of a breach that is expressly built into the rule.

Conducting Breach Analyses under HIPAA

To determine whether a low probability of compromise exists, a healthcare entity that sustains a ransomware attack must perform a risk assessment that considers, at a minimum, the following
four factors:

  • The nature and amount of PHI involved, including the types of identifiers and the likelihood the individuals can be identified from the data
  • The cybercriminals who obtained the PHI
  • Whether the cybercriminals actually acquired or viewed the PHI
  • The extent to which the risk to the PHI has been mitigated12

Unless, using the criteria above, the entity can definitively conclude in good faith that there is a low probability that PHI was compromised, then a breach is presumed to have occurred and notice must be provided to affected individuals. Because the risk assessment requires the entity to make a judgment call, the conclusions an entity might reach from the inquiry can be complex, highly varied, and differ from one entity to the next. 

Consider, for example, a relatively straightforward ransomware incident in which cybercriminals use a basic encryption code to lock up a healthcare entity’s data system. Consider further that there is no evidence the cybercriminals exfiltrated the data, the data was swiftly restored after the ransom was paid, and there is no evidence of lingering malware. Was this a breach under HIPAA requiring notification to individuals whose PHI was involved? Unfortunately, there likely is not a singular answer.

Thus, entities may be faced with the difficult choice of providing expensive and potentially image-damaging notice about an event that may not actually have compromised patient information. Alternatively, they risk a significant enforcement penalty if OCR learns about the incident and disagrees with their breach risk assessment conclusions.

Large-Scale Breach Considerations

Healthcare entities must also notify OCR of all breaches of PHI.13 For breaches involving fewer than 500 people, OCR requires only that the entities report the breaches within 60 days of the end of the calendar year in which the breaches occurred.14 However, for breaches affecting 500 or more people, entities must provide notice to OCR at the same time they notify the affected individuals.15 OCR posts to its website all breaches affecting 500 or more people.16

Furthermore, although OCR retains discretion to investigate any breach of any size, OCR has stated that it will “investigate all reported breaches involving the PHI of 500 or more individuals.”17

Finally, when a breach involves more than 500 people in a single state or jurisdiction, the entity must further notify media outlets serving that state or jurisdiction.18 To put all of this in perspective, it means that in the event of a large-scale breach, a healthcare entity is required not only to deal with what is likely one of its worst events ever, it is required to immediately disclose it to both OCR and the media so that the event can be investigated and publicized.

In addition, separate from HIPAA, entities must consider whether any particular incident implicates state breach notification laws as well.

Subjective Standards in Determining Breaches

As noted above, the breach risk assessment factors are subjective, and the analysis is performed by the entity itself. As a result, the possibility arises that similar incidents may result in different strategies upon analyses by different entities. In the health context, consider for example a condition that has a low risk of harm, but such rare harm is catastrophic. Consider further that the treatment for this condition results in nearly universal serious side effects. In this hypothetical, some people might choose to live with the condition rather than undergo the treatment, whereas others might choose the treatment despite its side effects. Each person would make the decision based on an independent analysis of the severity and likelihood of the risks each choice presents. Likewise in the case of ransomware attacks, some healthcare entities may determine that the low risk of a major OCR enforcement action—based on their breach risk assessments—is more acceptable than the high risk of a costly public image nightmare.

HIPAA Security Rule Risk Analysis Criteria

Whereas the HIPAA Breach Notification Rule may be difficult to apply consistently, the HIPAA Security Rule provides clear requirements for healthcare entities that can be used to plan for and prevent ransomware attacks. The Security Rule19 requires healthcare entities to adopt “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security” of electronic PHI (ePHI). Notably, it mandates that healthcare entities conduct periodic risk analyses to assess “the potential risks and vulnerabilities” to the PHI they hold.20

As a testament to its universality, HHS issued the Security Rule in 2003 and has not substantively or structurally revised it since, despite all the technological changes that have occurred in the meantime. To put this in additional perspective, consider that Apple issued the first-generation iPhone four years before the Security Rule, and the iPhone is now into its 13th generation, while the Security Rule remains the same. The Security Rule framework has achieved its elasticity by focusing on what an entity must do without being very prescriptive about how things must be done.

The primary sources of the Security Rule’s durability are its simplicity and uniformity.21 Among other things, the Security Rule expressly incorporated a “flexibility of approach” that enables the same set of security considerations to be used for any sort of electronic health network.22 Therefore, both a single provider medical practice and a multi-hospital system can—and must—apply the same Security Rule standards. Furthermore, although it was specifically built for the healthcare context, there is nothing unique about the Security Rule, which renders it useful for a variety of situations.

Elements of a Security Rule Risk Analysis

The core components of the Security Rule—administrative, physical, and technical safeguards—are as fundamental to the healthy operation of information systems as diet, sleep, and exercise are to personal health. In performing a Security Rule risk analysis, OCR recommends in a guidance document23 that you consider the following factors:

  • Knowing where your data lives
  • Understanding and reasonably responding to anticipated risks
  • Having plans for situations when things go wrong
  • Ensuring that the policies and procedures supporting the risk analysis stay current

When done correctly, a Security Rule risk analysis should enable an entity’s governing body to understand why its network is (relatively) safe. It will also enable the entity’s information security team to understand how and why the network is (relatively) safe and, importantly, what needs to be done to keep it that way. Furthermore, if a ransomware attack does occur, having a current and comprehensive risk analysis will provide solid written evidence of an entity’s compliance program. This is significant because OCR has stated,24 as a general rule, that it does not impose sanctions on entities that have been reasonable in their compliance efforts: “OCR may decide not to investigate a case further if . . . [the] covered entity or business associate has taken steps to comply with the HIPAA Rules and OCR determines enforcement resources are better/more effectively deployed in other cases.” In an effort to promote the use of recognized security practices, the so-called HIPAA Safe Harbor law requires OCR to consider an entity’s use of such best practices in implementing any enforcement action.25

Updating Risk Analysis Documentation

One of the core aspects of the Security Rule risk analysis—the timing requirement for updates—is both a blessing and a curse. Specifically, the regulations require healthcare entities to review their risk analyses periodically and update as needed, but the regulations do not define either term or concept.26

On the blessing side, the lack of a prescriptive update period allows entities to reduce their administrative burden when there have been no significant changes to their systems. On the curse side, without specific update requirements, entities frequently neglect their risk analyses such that they no longer reflect their current systems. This phenomenon was vividly revealed in 2020 by the OCR’s publication of its 2016–2017 HIPAA audit results.27 OCR found that only 14% of covered entities and 17% of business associates substantially fulfilled their Security Rule requirements. Among other things, the OCR audits concluded that entities generally failed to do the following:

  • Identify and assess the risks to the ePHI in their possession
  • Develop and implement policies and procedures for conducting a risk analysis
  • Identify threats and vulnerabilities, consider their potential likelihoods and impacts, and rate their risks to ePHI
  • Review and periodically update risk analyses in response to changes in the environment or operations, security incidents, or occurrence of a significant event
  • Conduct risk analyses consistent with policies and procedures

Significantly, none of the above considerations are unique to health information; they apply to the business, operational, and human resources records of a healthcare entity as well. Furthermore, the above list reflects the minimum best practices that any entity in the modern economy should employ for its systems and data. In the healthcare context, HHS prepared a complete matrix identifying all required and suggested security specifications applicable to healthcare entities under the HIPAA Security Rule.28 Entities of all sorts, including non-healthcare entities, should use it to evaluate the nature, architecture, operations, and flaws in their information security systems.

In the absence of a defined periodic timing requirement, the sweet spot for ordinary updates to a risk analysis is probably in the 12-to-24-month range. Yet, it is important not to hold updates to a lockstep schedule. Instead, you should update your risk analysis (or at least relevant portions of it) anytime your entity has an actual or near-miss security incident and anytime your entity changes its physical footprint or its software or hardware structures. 

Candor in the Risk Analysis

When engaging in a Security Rule risk analysis, you must be brutally honest with your client or organization. Self-deception can be fatal. The point of the risk analysis exercise is to consider critically each of the following:

  • All the places in which data lives
  • All the mechanisms and devices that enable access to that data
  • All the ways that data flows from one place to another
  • The manner in which that data is stored

Additional Best Practices Addressing Ransomware Attacks

In addition to employing the requirements of the HIPAA Security Rule risk analysis, as counsel to healthcare entities, you should also consider advising your clients or organizations to take the following actions to prepare for ransomware attacks or to mitigate their effects when they occur. Significantly, the overwhelming majority of action items below will also assist with generalized cybersecurity practices as well as improve the nondigital operations of an entity.

Contract for the Costs of Incident Response

Healthcare entities may include indemnification provisions in their HIPAA-compliant Business Associate Agreements (BAAs). These provisions typically cover situations in which a party breaches a term of the agreement. In doing so, however, the entities should ensure that the provision accounts for both breaches of the parties’ agreement as well as breaches of PHI under HIPAA.

Indeed, a healthcare entity can be in full compliance with the HIPAA Security Rule but, nevertheless, experience a cyber incident that is no fault of its own. For example, the entity could experience an attack that is neither foreseeable nor preventable despite having a security infrastructure reasonable and consistent with industry best practices. In that case, although the attack would potentially be considered a breach under HIPAA, it might not constitute a breach of the parties’ agreement. Accordingly, you should ensure that every BAA addresses the costs of incident response, particularly costs to comply with the HIPAA Breach Notification Rule, regardless of the cause or culpability. In other words, healthcare entities should be sure to obtain reimbursement coverage for both contractual breaches and HIPAA breaches.

Maintain Copies of Documents in Discrete Locations

If all key contacts (e.g., lawyers, insurance companies, leadership, vendors, and clients) are maintained electronically, it may be very difficult, if not impossible, to collect necessary information swiftly during a ransomware attack. Therefore, you should consider maintaining paper versions of key documents.

In addition, and more realistically, an entity’s leadership should keep certain digital records in personal email or distinct cloud storage locations to keep them immune from a system compromise. The key is to have another way to access vital information if the entity’s systems are completely compromised. Not surprisingly, duplication of data and disaster operations preparedness are among the considerations under the Security Rule risk analysis framework.

Use the News

Rather than just take note of media reports of incidents that happen to others and move on, entities should appreciate that reported cases often provide glimpses of where cyber issues are heading. By paying attention to trends, entities can better prepare if they become victims of ransomware attacks. When your organization learns of an incident affecting another entity, a key reaction should be: “What if that had been us?” If your entity cannot answer that question, it could be a potential target.

Invest in Cybersecurity

Governing bodies may view cybersecurity expenditures as a significant waste of money, particularly since governing bodies may not appreciate the difference between attacks not happening and attacks being stopped. To those who do not understand the risk, the latter can feel like a nonevent. Indeed, many chief information officers can tell stories about their limited budgets, limited staff, and limited recognition. Things should not be this way.

An entity’s governing body should be fully engaged in cybersecurity and supportive of efforts to keep systems secure. Among other things, this means that members of the governing body should understand that investing in cybersecurity is money well spent. You should consider periodically (e.g., annually) reviewing your comprehensive and updated HIPAA Security Rule risk analysis with your governing body to increase the chances that your organization will be willing to provide a sufficient budget to support appropriate security initiatives.

Educate Your Organization

To keep cybersecurity issues fresh and relevant, your entity’s leadership should devote some modest amount of time to the topic at regular team and organizational meetings and via internal communications. Although your organization may believe that annual security training sessions are sufficient to prepare for possible ransomware attacks, those sessions are likely little more than check-the-box compliance initiatives that probably are only minimally effective. To make best practices stick and to create
an overall culture of security, workforce members need to hear repeatedly from their own colleagues about how the threats are real, how mistakes can happen, and how they can personally help keep the organization secure.

Accordingly, you should consider devoting five minutes of each internal meeting to cybersecurity topics. Additionally, your information security team should consider distributing periodic emails or other types of communications to your workforce highlighting cybersecurity topics or providing practical pointers.

Customize Your Cybersecurity Plan

Cybersecurity is not a one-size-fits-all affair, nor is it seamless and consistent. Furthermore, one-and-done training is unrealistic, as noted above. You should be prepared to make numerous updates to your entity’s systems, to apply patches as they are released (and not when they are convenient), and to provide security training and announcements on the fly.

Stress Compliance over Routine

Entities should prepare themselves for some degree of pushback from employees when they are asked to change long-standing or cherished practices. Entities may need to remind their employees that security takes precedence over convenience and routine. Notably, your organization’s leadership—who often are the targets of cyberattacks themselves—should not be immune from updated or modified security requirements.

Support Internal Reporting of Concerns

Human error is ubiquitous, and it is remarkable in its diversity. It is a fool’s errand to think that human error can be prevented entirely. It can, however, be mitigated. While technical education and training regarding information security can help reduce the frequency of errors in the first place, maintaining a nonpunitive culture of incident reporting can help reduce the scope and severity of incidents overall. Indeed, an ideal security-supporting culture will provide routine training, welcome good-faith over-reporting of concerns, share the results of investigations, and make data security a point of organizational pride.

Identify Legal Counsel in Your Insurance Policies

It is increasingly common for cyber insurance policies to limit coverage to a certain list of panel attorneys. Although this can help ensure that the counsel involved with incident response is well-qualified, it often means that entities are forced to work with an entirely new legal team during an inherently challenging time. If you have an established legal relationship that you would like to use in the event of a data incident, be sure that your policy covers you when using your preferred counsel. This important coverage detail should be negotiated as part of plan enrollment and renewal. Trying to negotiate choice of counsel while an incident is unfolding is likely to be both fruitless and a waste of already strained resources.

Minimize Use of the Term Breach

Because the word breach has a specialized meaning under HIPAA, entities should only invoke that term when they have completed the breach risk assessment process.29 Until you determine a HIPAA breach has occurred, consider using alternative phrases such as data incident, security situation, or information event. Alternatively, consider qualifying your use of the term. For example, you may refer to an incident as a potential breach.

Share Information with Others in Your Industry

Keeping secrets about cyber incidents can facilitate subsequent attacks. To combat this, organizations exist to enable entities to share information with one another to collectively reduce risk. Consider joining your relevant information-sharing group to exchange information and learn from peers. For example, visit the Information Technology - Information Sharing and Analysis Center (IT-ISAC) site.30

Review Government Guidance

Ransomware significantly impacts the government given its effect on the economy. As a result, you should consider incorporating several government guidance documents into your incident response plan. At a minimum, if your entity has not already developed a response plan, you may choose to use these resources as references during a ransomware attack. Information is available from the following federal government agencies and departments:

  • Cybersecurity and Infrastructure Security Agency31
  • Federal Bureau of Investigation32
  • U.S. Department of Health and Human Services33
  • U.S. Secret Service34

Take Advantage of Free Information

An overwhelming amount of no-cost information and tools exists to assist with cybersecurity, such as those from the government sources listed above. Additionally, numerous private consultants offer resources that may be used without purchasing any specific services. Of course, free does not mean cheap. To the contrary, entities should be aware that many free tools are very likely to recommend practices or initiatives that require significant capital expenditures. Nonetheless, effective planning requires that your entity invest in cybersecurity. Therefore, if nothing else, the use of free resource checklists may be used to support capital expenditure requests to your entity’s governing body.

Conclusion—Living with the Ransomware Threat

Ransomware attacks are likely here to stay, and no one is immune. Entities can and should take various preventive and mitigating measures well before any event. Fortunately, one of the best tools for this exercise, the HIPAA Security Rule risk assessment, is required by law for both covered entities and business associates. Unfortunately, OCR’s first audit suggests that the majority of these healthcare entities are not paying sufficient attention to information security. Putting aside the risk of enforcement penalties, failure to maintain a robust and current risk analysis likely will result in several significant lost opportunities and inherently greater susceptibility to a ransomware attack as well as other forms of cybersecurity incidents. In other words, ransomware issues should be treated as a chronic condition.

Nathan A. Kottkamp is a partner at Williams Mullen. He helps hospitals and health systems, academic medical centers, behavioral healthcare services providers, senior care providers and retirement communities, specialty physician practices, post-acute and long-term care providers, and others navigate federal and state healthcare regulations and contend with various operational challenges, including medical staff matters, ethics concerns, and complaint response.

To find this article in Practical Guidance, follow this research path:

RESEARCH PATH: Healthcare > Health Information Privacy and Security > Practice Notes

Related Content

For steps to take to minimize the risk of a ransomware attack and reduce the harm that a successful attack can cause, see


For an explanation of privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) impacting employers and the group health plans they sponsor, see


For Practical Guidance resources addressing HIPAA, including detailed practice notes, checklists, templates, and specific clauses, see


For a discussion of enforcement of the privacy rule, Security Rule, Breach Notification Rule, and the transaction rule under HIPAA, see


For a collection of prominent recent guidance and enforcement actions undertaken by the Office of Civil Rights at the U.S. Department of Health and Human Services regarding HIPAA compliance, see


For an example of a breach notice for a group health plan subject to HIPAA to notify affected individuals about an unauthorized use or disclosure of protected health information (PHI), see


For guidance in drafting a breach notice for a group health plan subject to HIPAA to notify prominent media outlets about an unauthorized use or disclosure of PHI, see


For a checklist that addresses items for covered entities and their business associates to consider in complying with HIPAA for PHI that is maintained or transmitted in electronic form, see


For a sample policy for a group health plan to use to satisfy HIPAA privacy, security, and breach notification requirements, see


For an overview of the legal rules and best practices for the disposal of PHI under HIPAA, see


For assistance in creating an agreement to require parties to comply with HIPAA, see


For a template of an agreement between an employer health plan and a third-party service provider that will handle PHI on its behalf, see


1. BM Global Technology Services, IBM Security Services 2014 Cyber Security Intelligence Index (May 2014); IBM Security, IBM Study Shows Data Breach Costs on the Rise; Financial Impact Felt for Years (July 23, 2019)2. IBM Security, Cost of a Data Breach Report 2020 (July 2020)3. The Daily Beast, Colonial Pipeline Hack Result of Single Compromised Password (June 4, 2021)4. The Wall Street Journal Online, A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death (Sept. 30, 2021). 5. Ransomware: What It Is and What to Do about It. 6. U.S. Dept. of Justice, Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside (June 7, 2021)7. U.S. Dept. of Health and Human Services, Office for Civil Rights, Fact Sheet: Ransomware and HIPAA (July 11, 2016). 8. 5 C.F.R. §§ 164.400–164.414. 9. 5 C.F.R. § 164.402. 10. Id. 11. 45 C.F.R. § 164.404(b). 12. 45 C.F.R. § 164.402. 13. 45 C.F.R. § 164.408(a). 14. 45 C.F.R. § 164.408(c). 15. 45 C.F.R. § 164.408(b). 16. U.S. Dept. of Health and Human Services, Office for Civil Rights, Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. 17. U.S. Dept. of Health and Human Services, Office for Civil Rights, OCR Announces Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals (Aug. 16, 2016). 18. 45 C.F.R. § 164.406. 19. U.S. Dept. of Health and Human Services, Health Information Privacy, The Security Rule. 20. 45 C.F.R. §§ 164.306(e), 164.308(a)(1)(ii)(A), 164.316(b)(2)(iii). 21. 45 C.F.R. § 164.306. 22. 45 C.F.R. § 164.306(b). 23. U.S. Dept. of Health and Human Services, Guidance on Risk Analysis Requirements under the HIPAA Security Rule (July 14, 2010). 24. U.S. Dept. of Health and Human Services, Health Information Privacy, Enforcement Data. 25. Pub. L. No. 116-321, 134 Stat. 5072, § 1 (Jan. 5, 2021). 26. 45 C.F.R. § 164.316(b)(2)(iii). 27. U.S. Dept. of Health and Human Services, Office for Civil Rights, 2016-2017 HIPAA Audits Industry Reports (Dec 2020). 28. Published at 45 C.F.R. pt. 164 Appendix A to Subpart C. 29. 45 C.F.R. § 164.402. 30. 31. Stop Ransomware. 32. FBI, Scams and Safety: Ransomware. 33. U.S. Dept. of Health and Human Services, Office for Civil Rights, Fact Sheet: Ransomware and HIPAA (July 11, 2016). 34. U.S. Secret Service, Preparing for a Cyber Incident.