A hospital cyberattack, two OCR Security Rule settlements, and 2020 ransomware payouts

A trifecta of healthcare cybersecurity issues should cause healthcare industry participants to assess their current environments.

Let’s begin with the hospital cyberattack. Recently, Universal Health Services, Inc., one of the nation’s largest hospital chains, had to transition to offline paper backups because a cyberattack effectuated a Distributed Denial-of-Fervice (DDoS) attack, which disabled the company’s entire national network. This incident serves as a reminder that cyberattacks are not merely technical – patient care can be affected. And, it is imperative to have a comprehensive Disaster Recovery and Business Continuity Policy and Procedure in place. Additionally, having “drills” so that workforce members know exactly what to do if a disaster occurs is imperative.

Next, it’s been a banner year for hackers. According to IBM’s cybersecurity team, so far in 2020, Sodinokibi, the ransomware strain of choice, has netted over $81 million in payouts. Sodinokibi, as well as Ryuk, are types of “Ransomware-as-a-Service.” Beginning at the end of 2019, ransomware attackers went beyond the mere exfiltration of data and began threatening to release it if the ransom was not paid. “Researchers said that the leap up in ransomware costs are due in large part to some attackers pushing variants such as Ryuk and Sodinokibi harder into the lucrative enterprise space. Here criminals can attempt to extort companies with deep pockets for seven-figure ransom payouts.” Two examples were set forth in a recent Law360 article.

“In June, the University of California, San Francisco revealed that it paid hackers $1.14 million to resolve a ransomware attack and unlock encrypted data on servers within the School of Medicine, while the University of Utah announced in August that it had paid $457,059 in order to avoid having the attackers release student information online, with a cyber insurance company covering an undisclosed portion of the ransom. Neither university disclosed what type of ransomware it had been hit with.”

Yet, there is one import item that cannot be overlooked. On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory. “Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” The take-away: making ransomware payments related to malicious cyber-enabled activities can result in sanctions.

This leads us into the latest HHS-OCR resolution agreements for HIPAA violations. In September, there were three involving Security Rule violations, all of which were in the millions of dollars.

• September 25, 2020 - Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People​
• September 23, 2020 - HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual​
• September 21, 2020 - Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules​

As was stated in the iconic movie, Ferris Bueller’s Day Off, “Life moves pretty fast.” That quote holds just as true now, especially with cybersecurity and cybercriminals, as it did over 30 years ago. Bottom line: keep moving, stay abreast of threats, and constantly review prevention tactics.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}