Warnings of Ransomware Activity Targeting the Healthcare Sector and Potential Sanctions for Making Ransomware Payments

CISA, FBI, & HHS Warn of Ransomware Activity Targeting the Healthcare Sector

On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a Joint Cybersecurity Advisory stating they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The Joint Cybersecurity Advisory warns that bad actors are targeting the healthcare sector with malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services. Ransomware is a form of malicious software, or malware, designed to block access to a computer system or data, often by encrypting the data, to extort ransom payments from the victim in exchange for decrypting the information and restoring the victim’s access to the system or data. Some ransomware may also destroy or exfiltrate the data. According to the advisory, bad actors often install malware through phishing emails containing links to malicious websites or attachments. The advisory pays particular attention to TrickBot, BazarLoader, and Ryuk ransomware and includes tips for detecting these forms of ransomware as well as user awareness tips.

CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately, including taking steps to back up data. In addition to being a requirement under the HIPAA Security Rule, maintaining backups of ePHI is also key to combating a ransomware attack, because having a backup copy can save the victim from having to pay ransom to retrieve encrypted data. The advisory also emphasizes the importance of maintaining a business continuity plan to help minimize service interruptions in the event of a cyberattack emergency.

OFAC Warns of Sanctions Risks Associated with Making Ransomware Payments

Healthcare providers should also be aware of the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) Advisory, issued on October 1, 2020, regarding ransomware. The advisory alerts organizations to the sanctions risks associated with making ransomware payments to bad actors.

The advisory warns that organizations that make ransomware payments to cyber actors not only encourage future ransomware payment demands, but also may risk violating OFAC sanctions regulations. U.S. persons are generally prohibited from engaging in transactions with individuals, entities, or countries that are on OFAC’s Specially Designated Nationals List (SDN List) or are covered by a comprehensive country embargo (e.g., Cuba, Iran, North Korea). Additionally, OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program. The advisory references Cryptolocker, SamSam, WannaCry 2.0, and Dridex as examples of malware involved in previous sanctions designations.

OFAC points out that not only the victims of ransomware attacks, but also organizations that engage with victims of ransomware attacks such as cyber insurance providers, digital forensics providers, and financial services providers, can find themselves in violation of OFAC sanctions regulations for their involvement in facilitating ransom payments. OFAC advises victims and those involved in addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a “sanctions nexus.”

OFAC recommends organizations implement a risk-based compliance program to mitigate exposure to sanctions-related violations involving ransomware payments, including accounting for the risk that a ransom demand may involve an SDN or a comprehensively embargoed jurisdiction.  The advisory states that OFAC will consider an organization’s “self-initiated, timely and complete” report of a ransomware attack to law enforcement and “full and timely” cooperation with law enforcement as significant mitigating factors when evaluating a possible sanctions enforcement action.

For more information or if you have questions regarding your organization’s cybersecurity response preparedness, please contact Kevin Coy or Erin E. Doyle.