The healthcare sector continues to be a target of cybercriminals. An area that continues to emerge is ransomware as a service (RaaS)-basically the adoption of a Software as a Service model, which is subscription-based and "enables affiliates to use already-developed ransomware tools to execute ransomware attacks." In turn, an affiliate pays a portion of the recovered ransom to the RaaS provider or the RaaS developer, such as Conti, which pays the deployers a wage.
As the U.S. Department of Health and Human Services (HHS) relayed in its June 2021 report, the top five ransomware actors providing RaaS and impacting the global healthcare sector are as follows: (1) Conti RaaS Operator(s); (2) Avaddon RaaS Operator(s); (3) REvil/Sodinokibi RaaS Operator(s); (4) Mespinoza/Pysa RaaS Operator(s); and (5) RaaS Operator(s). In light of this, it is not surprising that the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have alerted the public via Alert (AA21-265A) to the increased use of Conti ransomware in over 400 attacks.
In light of the increase in ransomware attacks, what are the ramifications of not involving law enforcement (the FBI has a reporting portal) and simply paying the ransom demand? To find out, keep reading!
Ransomware Attacks, and Ransomware Payments
There are two fundamental consequences for not involving law enforcement when a ransomware attack occurs: (1) the duty to notify individuals may be delayed if a governmental agency instructs so; and (2) paying ransomware may result in potential criminal liability.
First, CISA-FBI Alert (AA21-265A), which was revised on September 23, 2021, specifically highlighted Conti and the following ways initial access to networks is gained:
- Spearphishing campaigns using tailored emails that contain malicious attachments [T1566.001] or malicious links [T1566.002];
- Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware-such as TrickBot and IcedID, and/or Cobalt Strike-to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware [1],[2],[3];
- Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078],[4];
- Phone calls;
- Fake software promoted via search engine optimization;
- Other malware distribution networks (e.g., ZLoader); and
- Common vulnerabilities in external assets.
Once access is gained, the cybercriminal or its software can execute the ransomware attack-hold the data hostage in return for ransom. Importantly, just because the ransom demand is paid does not mean that the entity will receive all of the data back in its original form.
Since 2016, HHS has recommended contacting the FBI in the event of a ransomware attack, which qualifies as a security incident (45 C.F.R. § 164.304). A breach under the HIPAA Rules is defined as, "...the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." See 45 C.F.R. 164.402. Once the ransomware attack has been discovered, the entity must comply with 45 C.F.R. §§164.400-414-reporting to HHS, affected individuals, and the media (500 or more individuals impacted in a single event). Coordinating with law enforcement may delay reporting to individuals and the media.
In addition to potentially delaying select requisite notifications, involving the FBI may also help in avoiding potential civil and/or criminal liability by the U.S. Department of the Treasury's Office of Foreign Asset Control (OFAC) for paying ransom to an entity with a sanction nexus to the Specially Designated Nationals and Blocked Persons List (SDN List). On September 21, 2021, OFAC issued new guidance.
Some key take-aways include:
- OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.
- Under OFAC's Enforcement Guidelines, the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response to an apparent violation of U.S. sanctions laws or regulations.
- Implement a risk-based compliance program.
- Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.
It is hard to deny that keeping data private and secure is becoming increasingly complex due to the surge in and sophistication of cybersecurity attacks. It is also an area that cannot be ignored. Implementing the aforementioned items is critical.
Conclusion
Cybercrime is not going away. Implementing appropriate policies and procedures, as well as utilizing a prevention, detection, and correction approach to cybersecurity compliance is essential to ward off these types of attacks. Conducting an annual risk assessment, training workforce members, and ensuring comprehensive policies and procedures are in place are some of the elementary, yet critical, items that can assist in warding off ransomware attacks and mitigating the risk of a business, including hospitals, having operating screech to a halt. In sum, healthcare sector participants, which range from providers to business associates, should stay abreast of this evolving legal landscape, as well as alerts and guidance being issued by government agencies.
Rachel V. Rose, JD, MBA, is an Attorney at Law, in Houston, TX. Rachel advises clients on healthcare, cybersecurity, securities law, and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer's Top 25. She can be reached at
rvrose@rvrose.com.
www.rvrose.com