AHLA's Speaking of Health Law

Top Ten 2022: Ransomware—Considerations When System Access Exceeds the Value of the (Digital) Assets

AHLA Podcasts

Based on AHLA’s annual Health Law Connections article, this special series brings together thought leaders from across the health law field to discuss the top ten issues of 2022. In the fifth episode, Barry Mathis, Principal, PYA, speaks with Nathan A. Kottkamp, Partner, Williams Mullen, about the steps that entities should take to prepare for ransomware attacks and the main components of any response plan. They discuss the importance of speed when addressing ransomware attacks, considerations involving whether or not to pay a ransom, and navigating OCR guidance. Sponsored by PYA.

Watch the conversation here.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

A H L a is pleased to present the special series, highlighting the top 10 health law issues of 2022, where we bring together thought leaders from across the health law field to discuss the major trends and developments of the year support for a H a. And this series is provided by PPY, which helps clients find value in the complex challenges related to mergers and acquisitions, clinical integrations, regulatory compliance, business value, and fair market value assessments and tax and assurance for more information, visit pya, pc.com.

Speaker 2:

Uh, this is number five in a series of top 10 podcasts with HLA. And today my name is Barry Mathis. I'm with pya and I have with me as a guest, Nathan Ko, Nathan, the you for joining us,

Speaker 3:

Uh, thanks for having me,

Speaker 2:

Uh, the focus today, uh, Nathan, you wrote a great article. I read it a couple of times in preparing for the, the podcast, uh, it's around beware of ransomware considerations when system access exceeds the value of the digital assets. A lot of, a lot of stuff in that statement, bottom line is ransomware here, and there's a way to react to it. And, and you've done a great job of outlining that. So, uh, I'd like to go through that in a conversation with you and where I'd like to start is about, um, just about, about a third, a third of the way down in the article. You start to talk about almost as look, plan on getting attacked, right? It, it happens to us, but having a response plan, right. Having a, a way to, uh, to respond to the attack is paramount in that. And you go through some very specific bullets in there. You want to take us through those.

Speaker 3:

Yeah, absolutely. Well, and, and let me just start by responding to your comment about just being prepared. I mean, I think when, when computer technology was just starting to roll into the health world, it was still a predominantly paper sort of thing we used to talk about, you know, if you ever have a cyber incident, then here's the things that you should do. And we don't talk about if anymore, we talk about what it's gonna look like when, right. And so if you don't have a plan, um, trying to build the ship, as you're trying to sail outta Harbor is the worst way to possibly do it. And so, uh, to that end, we, we try to encourage proactivity and a, as you indicated, what I've done is try to break down the proactive, proactive part into three core, uh, categories. The first one is just the, the basic blocking and tackling preventive types of things with the workforce, putting all the technology aside. I think if you just, you know, pull that the random person, when they think of cyber stuff, they're probably think of the hacker that just sort of breaks on into the system. The ma the majority of things, aren't that sophisticated. They happen through just gullibility. They happen through people, multitasking and fatigue and all the rest of the things. And it's really not that hard to con people clicking and giving away the keys to the kingdom. So reminding staff and doing it more than just once. I mean, we've probably all been through that, you know, once a year, half hour training, you just sit there and click through and you could be, you know, half asleep when you're doing it. That's not enough. And we need to be incorporating, uh, security issues and awareness throughout the year throughout different levels of an organization. The C-suite needs to be involved. The board needs to be involved and say, this is important. Um, and not just say, well, the tech guys have got it covered. That's not enough to keep you safe. The second piece of it is the, well we've done the best we can on, on the preventive and they still get in. So what are we gonna do? What, what is the impact in terms of, um, what data is accessed, what can be done with the data? Um, one of my, my favorite examples that sat as it was, was a, uh, was a small medical practice that, that had its own server. So it wasn't keeping things in the cloud and sure enough, it did maintain a backup of all its data, but the backup was on the same server. So when the hackers got to the server, everything was gone. So, you know, you kind of laugh at that after the fact. And you're like, how could they be so stupid, but it's, it's you to do that? You think you're just creating a copy, but where is your data? Do you have, um, let's say you're a hospital. Do you keep your patient data as well as your billing data, as well as your personnel data, all in the same network and all in the same, you know, file place. Those are, are examples of three, three things that you would wanna segregate. So if your patient data gets hit, will you at least be able to know how to get your collections and, and how to make payroll and all those sorts of things. Um, and, and obviously there's other technical structural things that you'd want to do. I'm not a tech guy, so I wouldn't even try and venture into that, but just to be sure that the design folks have an appreciation for how your data works, where your data lives, and if you get an attack, what's it gonna look like operationally. So again, think of it in advance

Speaker 2:

And, and on the advisory side, a lot of times we'll, we'll represent that. And as you know, there's compliance requirements to test downtime procedures and to test, uh, backup recovery and disaster recovery procedures, that sort of thing. And a lot of people get hung up on that. Well, how do you test that? So I like to tell people just a good old fashioned tabletop, exactly what you just said, sit down with the, the key, the key players, subject matter experts of those functional areas. And just talk through if this happened, what would we do? So very good points.

Speaker 3:

Yeah. And I'm also a huge fan of those. Um, I'm sure they have a better name than this, but the, sort of the secret shopper sort of emails. Um, one, one of my favorite stories to tell is I have a friend, um, I won't disclose anything further than that. Um, who like me likes to think of himself as very well qualified in this area. And, uh, he was multitasking while watching a webinar or sitting into some huge, uh, conference call or something like that. And sure enough, he clicked on the, uh, the test message from the, the security team. And here he was an expert in cybersecurity with the yellow screen of death saying, you will not be able to access your data until you take a 10 minute refresher course. Yeah. So it, it, it happens to the best of us. Yeah.

Speaker 2:

Always gun it for us who do it as a profession. But, uh, what you're referring to is the email phishing testing. Right. So yes, yes. Thank you. We do those campaigns and believe me, I know being a cyber security professional, and at risk management that there's people that target me just to see if they can get me. Right. Yeah. And back, go back to you. The very first thing that you said, you know, on the here today, it's the simple things. It's that social engineering it's that, that dropping of the guard that you're clicking something, uh, that's most often the way that these bad actors get in the facilities, not that they can't do it from a technical, but, uh, a lot of times we make it way too easy for'em by just being relaxed.

Speaker 3:

Yeah. I'd say human foul bit is the biggest flaw of any system. There you go. There you go. Um, so the, the last of those, those three things to be planning ahead for is just, um, really a strategic question. And sometimes, um, the plan changes based on the nature of, of the incident, but it's the biggest strategic your question is, are you willing to pay in the first place? And if you're gonna be willing to pay, do you know how you're gonna pay? Do you know how to assemble the funds? Does somebody in your organization know how to deal in Bitcoin and things like that. And if you're not gonna pay, which is, you know, to follow the recommendations of FBI and other Asian, all fine and good, but what are you gonna say to your patients? What are you gonna say to your vendors? What are you gonna say to others who rely on you? Who may just think, well, you're a big rich hospital. You know, you're not willing to pay a million dollars to get back up into operations, or, you know, you can imagine all sorts of different scenarios, but you just need to consider what that is going to look like. And so if you have an attack, one of the first sets of folks that you wanna bring into to, uh, the war room, if, if you will, is your PR folks, you want to be able to have good messaging about this because it's gonna be a bad PR situation, no matter what the, the attack actually looks like.

Speaker 2:

So, so let's talk about that for a second. Um, we assume we've got the attack. How important is it? And again, it is maybe rhetorical, um, the speed in which we react in that plan. And, and I've got an example of one that happened about four or five days ago that I can share with you, but I wanna get your opinion, how, you know, how important is it in terms of the overall outcome with regard to the speed in which we identify and do something about it?

Speaker 3:

Uh, I, I think in this day and age, it's critical, you got a 24 hour news cycle and you got people with their phones and Twitter and TikTok and all the rest of these things. It takes 10 seconds to identify that you can't get your medical records from your patient portal to having to ping around the, the globe through, you know, an upset tweet. Um, I'm not gonna say that that's always gonna happen, but I think you need to be prepared that by the time the figures out what's going on, it is very possible that the rest of the world also knows that you've

Speaker 2:

Been hit. So in reality, if, if this happens and it's at that point, you start to call everybody together to go through this. You're too late. It's, it's really a matter of that plan, that team, those connections, you know, it's kinda like pull on the fire alarm, all that has to be in place, be tested and ready to go when it happens. Otherwise it's, it's the outcomes just not gonna be as good.

Speaker 3:

Uh, absolutely. Again, as I said, the worst time to develop a plan is when you're implementing it. And that's, that's something that we see over and over, uh, with our clients. And it's really unfortunate because a lot of this stuff is not it's frankly, not rocket science to come up with the plan to know who's gonna be responsible for this or that. And no plan is perfect, but if you don't even have the fundamentals down, it's gonna be a disaster in terms of response.

Speaker 2:

And, and in my opinion, sometimes it's the very simple things around the plan up front that can make the difference. And, and the example that I'll bring up. And I, I shared this with you before we, we jumped on, uh, Jacksonville hospital in, in Florida, uh, was recently hit, uh, with an advanced persistent threat attack. Uh, the group, uh, came at them with a ransomware. Um, I wanna think it was the, uh, let's see the, the, the me za, if I'm pronouncing it correctly, which is fairly, you know, uh, rampant, uh, it's the group actually calls their, their victims, their partners and, and their, their adventures, but the it director there. And, and I'll mention his name, cause I think it's worth mentioning his name's Jamie Hussey. Um, you know, he just reacted quickly just basically disconnect, you know, saw what was happening and just kind of cut ties, right? So stopped the bleeding, so to speak. And in doing so likely avoided a huge, huge incident, but it was the, it was the fact that they had already planned for that. And, and it goes on to talk about the fact that they had their downtime procedures in place. They had a plan in place and they simply reacted versus trying to figure out what's going on and figure out what to do. It was more of a reactive response. So let's talk about that for a second. Uh, you mentioned all the components that have to be in there, but going through that reactive response, what are the things, can we, we look for, to put in there to make it again, positive outcome as possible?

Speaker 3:

Well, I, I think, um, and these evolve and, and frankly, I'm not quite the expert on the plan because the nature of what I do as an attorney, I'm usually getting called in when there isn't a plan. Right. Um, so I'd certainly defer to, to folks like you, but, but I, I don't think it's, it is incredibly and I, and I know with great certainty that there are plenty of examples out there of sort of the core components for your plan. And it's just a matter of trying to implement it. But, you know, at the absolute basic level is knowing what backup data you have available. Right. So how quickly can you get back on online? The next piece is who are your decision makers, who are your alternate decision makers? So if your plan says only the CEO is allowed to make any decision and, and your CEOs on a flight to Japan and can't be reached for the next 13 hours, well, you got a problem with your plan. Right? Right. So think of backups, just like with the data you want the team to have redundancy and backup, and you want people to work, be working together, but at the same time, you don't want so many people that you can't actually operational and act operationalize something. Um, so I think those are, those are key things. And again, making sure that you've got your public relations or media, those folks, they need to be involved as the decisions are being made, because they cannot in this fast media, social media cycle, they can't be learning about it later. Right. Because then it's too late. Right.

Speaker 2:

So let's talk about probably the biggest controversy around once the attack has happened. Uh, and let's say the, the ransomware is now in place, right? They're, you're, you're actually being ransom. The big question that always comes up, no matter what client I'm working with is to pay or not to pay. Now we know what the FBI's position on it. And, and I, I, and worked alongside of them in those conversations and it's always gonna be don't pay. Um, but I happen to know clients who have disregarded that said, look, you know, we've, we've got a business to run and we've paid, what, what is your thoughts around that pay or, or not pay? And, and do we always get our keys? And, and is it always okay if we do pay,

Speaker 3:

Um, if we get this right, you and I can probably go to Vegas, do some, uh, some serious betting and, and make our millions, um, because the, the problem is you just never know. Um, I don't think any two ransomware attacks are the same. Um, I mean, even among the same actor using the same technology, they may not do the same thing for every client. The problem here, and we talk about this a little bit in the article is this is like one of those perfect examples of game theory, right? So if, if, if the criminals are gonna want to be successful with their ransomware attacks, they have to, at some level be paying, sorry, giving back the data, giving back the access when people pay. Cause if they don't do that, then the industries, those that are getting attacked, the victims of this will just simply say, well, I understand that it doesn't matter if I pay. I'm not gonna get it back anyway. So forget I'm not gonna pay. Um,

Speaker 2:

So for them, it's a business and, and the business, it would be a bad business model to simply Welch on all your deals, right? If, if you got a deal on, somebody pays, the only way your business continues is that you continue to provide those

Speaker 3:

Key. That's right. And so one of the things that some of these folks do is they lower, um, they lower their hurdle for themselves as well as for others. So you say, well, maybe what we'll do is we'll make it fairly easy. We'll tie up some of these data and we're not gonna ask for 10 million bucks, we're asked for$500,000,$10,000. I mean, she think of a number that's relatively small, still a big number. And if you're doing it over and over and over again, you're gonna get rich off of it. Um, but if you're a large hospital and somebody says, I want$50,000 to get your data back, man, that's right. You could have your, the trash bender costs more than that in, in the year. Right. So that's part of it. The other risk of course, is do you become a, a repeat target? So if you, if you pay the$50,000, then how do you know that you haven't left something or that they haven't left code in, in your system. Right. So that thanks for the$50,000 today, we'll see again in may, and then we'll you, again,

Speaker 2:

That that's an excellent point. And I'll go back to what happened to Jackson, uh, uh, in Florida, uh, the Ms. Bonanza. Now, I don't know if it happened there, but I know the advanced, persistent threat group that, that pulled off that attack or tried that attack are well known for something called double extortion. And there's a couple of things in double extortion. And, and again, you and I have talked about this kind of offline. Um, one of those is they, they go in, uh, undetected for a while. Maybe they mess with your backup load. Maybe they leave a back door in. They, they, they poke a hole in your RDP, whatever, so that they can come back later. But most often, if they can get in undetected for a while, they're going to extort data. They're going to take data out if they possibly can. Uh, and then they'll launch the ransomware and then once the ransomware's done, maybe you've paid, then they'll come back and say, well, now we've got your data. We'll sell that on the dark web for what we can get it, or you can buy it back double extortion. So it, it, uh, one of the things the FBI does and, and I I'd love to hear your comments on this is they, they, they have a very good sense and database of, of what might happen based on who's attacking you. You know, if that advanced, persistent threat group coming from North Korea, if it's coming from Africa, if it's coming from Russia, if it's coming from China, each of those kind of like have an Mo and they can tell you in some cases, right up front, based on who it is, you're never gonna get your keys. There's no point in paying. And in some cases, it's that business opportunity you're talking about where you, if you do pay likely you'll get your keys and, but they may come back again.

Speaker 3:

Yeah. Well, and I think that's right. And, and I, I do think that the FBI, I can be helpful in these situations. Um, as a lawyer, I I'll just point out that I, I think it's interesting, the FBI, they don't want you to pay, but they're not that definitive in their guidance. They're their, um, their website says the FBI does not encourage paying a ransom. Um, so thanks for the double negative there guys. Um, but it is true that they do track these things. Um, and it's not just because they care about you. They're actually, of course, very concerned about national security and other things like that. So for them to be, uh, familiar with all the threat actors that are out there and the mechanisms that they're using that helps at the national level, but advantage of that sort of self-serving nature of, of FBI and this kind of thing. And, and yeah, they may be able to, to give a lot of guidance. Um, you know, I think that's also one of the things that, um, at, at a minimum, I would say from what I understand, don't pay initially. I mean, that's, even if you're considering pay paying, give it a little bit of time, sometimes there's negotiations and I've been in these where it's like, well, we'll pay this, but not that, and this that there's like back and forth and back and forth. So if you don't pay immediately, um, assuming that your plan allows you to do this, assuming that you've got sufficient backup, that you can, you know, sort of stumble along as opposed to smooth operations, um, it may very, it may pay off to reach out to the FBI, um, take a day or two to, to figure things out because they may say, oh, yes, well, this is this actor. And here's what we know about'em. Um, and they could either save you from paying or they can, you know, get you back in business fast or whatever the case may be. But, um, but I, I do think that this is one of those situations where, um, the FBI and, and other agencies too, they're not the enemy. They're not trying to catch you. Um, they, they are your friend, they are colleagues in this whole mess. Um, so, you know, don't be thinking to them like the, the police on the side of the, of trying to catch speeders, they're not gonna ding you for, well, it depends on how stupid and, and pathetic your, um, your security system is. Um, then they'll give you some grief, but, you know, if, if you're doing responsible computing and you get hit, they understand that that's, that's just the reality of things. So I do think that, um, the FBI can be a real, real asset to, uh, to entities if this kind of thing happens

Speaker 2:

Well, uh, along with the FBI in terms of oversight, and in this case, maybe compliant responsibility, this is, this is the other, you know, controversial topic, depending on what side of the fence you're on. Um, and, and maybe we can kind of start to, uh, to, to close out our conversation around this. We're not gonna solve it, but I'd like to get your opinion on it right now, the OCR basically says, if you're a victim of ransomware, regardless of, of what you find or what you do, uh, it's report as a breach right now, those of us who are in, in the advisory audit compliance side of that, we would like to say, well, as is there actually been evidence of an exfiltration? Uh, and, and in some cases, I think what OCR says is, well, I don't know. Can you prove, can you prove that? And it's a very difficult thing to prove, especially with this double door, with some of these bad actors, but love to get your opinion on that thoughts around that from a legal perspective.

Speaker 3:

Yeah, absolutely. This is one that I have directly confronted with, uh, with clients in the past. And it is a tricky thing. The OCR, um, I wanna be very clear cuz this is a, it's a nuanced situation with the OCR and, and the breach thing. What the OCR has said is that you are required as a covered entity to treat any ransomware incident as if it is a potential breach, which then puts you into the four, uh, required inquiries in the breach notification rule. What they have not is you have to conclude that it is a breach. So the problem there is, there are no bright, there are no bright lines in the breach notification rules. So you have to sort of take all the facts, need to throw'em in a, in a common bucket. And the, the inquiry is, is there a probability, low level probability that there has been a compromise and it is presumed to be a compromise. And if you don't know what happened to your data, it's very, very hard to overcome that presumption. So I, I only say that in that you it's, it's sort of like the FBIs, um, you know, we do not encourage, right. I think the OCR is saying treated as a breach. Um, but it's not impossible to think of a situation where you don't treat it as a breach. Um, but if you, if you're gonna go that route, you better have a really solid risk assessment, very well documented and be ready to get an inspection by the OCR, because somebody does find out about it. You did make the wrong call and now you're late in getting the notification out. So I, I, I think it's frustrating to think, oh my gosh, here, we've already been hit with, uh, the ransomware attack. And now we've gotta go through all the OCR compliance. And if it's a big one, then we know we're gonna get inspected and all the rest of the stuff, that's just the way it's gonna be. I don't, I don't see the OCR backing off on the at anytime soon,

Speaker 2:

Completely agree. I, I, I think they've set the presidents there that there's no room. If you can at least pass a desk audit for knowing where your data's at, what, what data is at risk and, you know, your procedures and policies that go along with that, you're likely not gonna win an argument that it wasn't a breach or that you can prove it sort of thing. So completely agree with you there. Um,

Speaker 3:

Can I, can I offer, can I offer one silver lining please?<laugh> um, in my experience, and this is all subject to change OCR, um, is actually one of the agencies that I believe is way more interested in compliance than they are in being punitive. So in if you have an incident and as long as you were being reasonable in preventing the incident, and if, if the, the hackers beat you anyway, OCR is not gonna come down on you hard where they're gonna come down on you is where you didn't prepare for it, where you didn't train your folks where you don't have backups, where you didn't do a security risk assessment, then they're gonna be punitive. But if you are behaving as you should, you should survive the OCR audit without great, great incident.

Speaker 2:

But to your point, if you're that client who has an outfacing server unpacked on outdated operating system with, with a open remote connectivity, and that's how the bad actors got in, then you, you deserve whatever OCR gives you

Speaker 3:

And they will give it to you.

Speaker 2:

Yeah, absolutely. Uh, well maybe that's a, any parting words. Uh, we're just about at time here. Uh, any, any last minute or parting words, if, if you could take anything away, please take this.

Speaker 3:

Yeah, I, I think more than anything is we think of this as being, uh, so much of a technical issue. And I, I, I think it comes down to people as much as anything, uh, training your folks is the single best thing you can do and having the leadership of the entity, whatever it is, being sure that they're devoting appropriate resources to cybersecurity. Those are the two human aspects of this that you can in control, can't control the rest, but at least you can do that. So that, that would be my strongest recommendation to folks.

Speaker 2:

Very good. Couldn't agree with more, uh, we've been talking with, uh, Nathan co count with Williams and Mullins who wanna thank you, Nathan, for joining us today that this has beens number five, uh, beware ransomware, uh, considerations system access exceeds the value of the digital assets. Uh, Nathan, once again, thank you so much, uh, hope to see you around.

Speaker 3:

Thanks, Barry. Great to do this with you.

Speaker 1:

Thank you for listening. If you enjoy this episode, be sure to subscribe to ALA speaking of health law, wherever you get your podcasts to learn more about ALA and the educational resources available to the health law community, visit American health law.org.