With hospitals and healthcare providers as the prime targets (but certainly not the only targets) for ransomware cybercriminals, an October 1, announcement from the US Treasury department puts the victims of ransomware in the impossible position. The unexpected policy statement https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf gives the victim the options of choosing to not pay the ransom and incurring loss of their computer records, public disclosure of confidential information, massive costs, fines, and lost business or paying the ransom and risking massive costs, fines, loss of business, and potential federal sanctions under anti-terrorism and trading with the enemy laws. To make matters worse, sanctions also could stop your cyber insurance company from paying the ransom even though your policy covers it and the cyber coach service from negotiating lower ransoms.
The federal announcements do offer a token gesture of hope — if you immediately report the situation to the government agencies, they MIGHT give you a lower penalty.
Happy “Cyber Awareness Month”.
Most victims pay the ransom
This position statement is a drastic change from the prior FBI positions. Initially they said “Don’t pay because it encourages the bad guys”, and recently, when it became clear that hospitals and healthcare providers were facing devastating computer losses that the FBI and law enforcement could not prevent or remedy, they added “but it is a business decision each organization must make.” Currently industry estimates run as high as 80% of victims OR THEIR REPRESENTATIVES pay the ransom and most get their data back. This position statement puts the threat of massive government sanctions against any victim that tries to save their hospital or practice.
So what is the answer?
So what is the answer for the hundreds of healthcare providers and hospitals hit by ransomware annually? Train your people and lock down your systems to prevent compromise in the first place. Cyber security education firm KnowBe4 http://knowbe4.com (no business relationship, but I do follow their webinars) suggests:
- Security awareness training
- Internet security products
- Antivirus software
- AntiMalware software
- Whitelisting software
- Backup solutions
They also offer a ransomware survival kit for free.
My suggestion is take EMERGENCY action to assure you have the technical defenses in place to meet HIPAA security standards (including risk evaluation), update policies and procedures, and get everyone trained on HIPAA and Cyber security awareness. And do it yesterday.
If you do fall victim to ransomware?
Right now, you are *expletive deleted*. Call your insurance, get a breach counselor, call your lawyer — all in the first five minutes.