Steve Gravely on the WannaCry Ransomware Attack and What it Means to the Healthcare Industry

Steve Gravely focuses his practice in the areas of health law, information privacy and cybersecurity and emergency preparedness and response issues for critical infrastructure industries. He has represented healthcare organizations for over 20 years in a full spectrum of healthcare legal issues. Steve is certified by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US).

A massive cyberattack hit a number of hospitals world-wide, affecting over thirty in the United Kingdom and causing more than ten hospitals to suspend service . Hospitals who fell victim to the WannaCry ransomware experienced system-wide lockouts, delays to patient care and function loss in connected devices such as MRI scanners and blood storage refrigerators. Though ransomware attacks on hospitals and healthcare providers have been on the rise, the scale and reach of WannaCry ransomware is unprecedented. Steve shares his knowledge and thoughts on what this means to the healthcare industry at a Q&A conducted by LIFARS.

LIFARS: Healthcare organizations and hospitals usually have security systems. Couldn’t this protect them from being victims of a ransomware attack?

Steven: No. Cyber attackers use phishing attacks to defeat common security features. A phishing attack uses an e-mail, often impersonating a company executive, to prompt employees to open an attachment that contains malware. Once the attachment is open, the malware is launched and rapidly spreads through a network. The WannaCry malware has reportedly exploited a known weakness in Microsoft’s operating system. Microsoft issued a patch, but the National Health Service and many other affected computer networks had not installed the patch.

LIFARS: Was the National Health Service specifically targeted?

Steven: It does not appear that the NHS was specifically targeted by the cyber criminals. Rather, the incident seems to have been a non-specific, blanket attack which explains why so many different types of companies were affected globally. This is very concerning since it means that US healthcare organizations could be hit at any time by the malware.

LIFARS: Must a ransomeware attack be reported under HIPAA?

Steven: The Office of Civil Rights(OCR) recently issued guidance on ransomware for HIPAA covered entities. The OCR guidance states that every ransomware attack should be presumed to result in a reportable breach unless the victim can prove that the attackers did not access any PHI. Whatever evidence the organization relies upon to conclude that a breach did not occur must be retained by the organization in the event that OCR wants to examine the evidence at a future date.

LIFARS: What are your recommendations for healthcare organizations? What should they do about the threat of a ransomware?

Update your Incident Response Plans:
Every healthcare organization should be preparing for the inevitability of a cyberattack, including but not limited to ransomware, just as organizations prepare for the wide variety of threats today. Last year Medicare amended its Conditions of Participation to require that every participating provider engage in “all-hazards” emergency preparedness and response activities. While this had been mandated by federal grants for years, all-hazards emergency preparedness is now a mandatory requirement to participate in Medicare and other federal healthcare programs. Cyberattacks are a recognizable and definitive hazard today.

Test your plans: Healthcare organizations should conduct ransomware specific exercises that include IT, clinical staff, incident response personnel and C-Suite executives. Tests should address the responsibilities and viewpoints of all those who could be impacted during a ransomware event.

Prepare for litigation: Class Action lawsuits are common when data breaches occur or if a breach is suspected. Every cybersecurity incident should be treated as a potential lawsuit. Involve knowledgeable legal counsel as early as possible during a cybersecurity event.