AHLA's Speaking of Health Law
AHLA's Speaking of Health Law
You’ve Been Hit With Ransomware, Now What?
Barry Mathis, PYA, speaks to Elizabeth Hodge, Akerman LLP, about how health care organizations should respond to ransomware and other cybersecurity incidents. The podcast gives practical tips on how organizations can prevent such incidents, and what to do if your organization does get hit with a ransomware attack, including the importance of cyber insurance and whether you should pay the bad actors or not. From the Privacy and Security Risk Compliance and Enforcement Affinity Group of AHLA's Health Information and Technology Practice Group. Sponsored by PYA.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A H L A comes from p y a For nearly 40 years, p y a has helped clients find value in the complex challenges related to mergers and acquisitions, clinical integrations, regulatory compliance, business valuations, and fair market value assessments and tax and assurance. P y A is recognized by Modern Healthcare as one of the nation's top 20 healthcare consulting firms, and by inside public accounting as a top 100 accounting firm. Learn more@pyapc.com.
Speaker 2:Hello, my name is Barry Mathis. We want to thank you for joining us today with this, uh, podcast. Uh, I am with p y a, as you just heard in the opening message. I have with me a good friend and colleague, uh, Betsy Hodge, uh, from Akerman, L l p. And together we are going to talk a bit about, now you've been hit with ransomware, it's in the place you've got it. What do you do next? What are the decisions you make and what are those steps? So, uh, Betsy, I'm gonna turn it over to you to kind of tell a little about yourself and your background, and then I'll do the same and we'll jump into this conversation.
Speaker 3:Well, thank you Barry. As Barry mentioned, I'm Betsy Hodge with Akerman, L L p. I am a member of our healthcare practice group in our West Palm Beach office. I'm also a member of AKERMAN'S Cross Practice Group, uh, data Privacy and Security team. And, um, most importantly, a proud member of the A H L A Health Information and Technology Practice Group. So I represent healthcare providers and, uh, employers with self-insured health plans and, um, advising them on HIPAA compliance and compliance with other, uh, state, federal and international privacy laws and assist them, uh, when they do have data incidents. So, very good. Glad to be here today speaking with you, Barry.
Speaker 2:Thanks. That's you and I have, have, have enjoyed, uh, speaking, uh, together on several occasions. I think the last time we, we spoke together, OCR was there with us. So that was a nice treat to hear their version of some new things coming out. Uh, as the principal of IT, advisory consulting of P Y A, I have responsibility for, uh, compliance, anything to do with IT assessments, compliance, hipaa, and within that realm, it is the cybersecurity piece that I also, uh, work with a team of wonderful folks at p y A to one help prevent this sort of thing. And then, unfortunately, if you do have an attack, we're a great resource for helping you navigate through that. And here's what I would say. If you brought us or anybody else in, and you've, you've been hit with ransomware, you've got the darn thing. Usually what happens is someone from it gets a call and says, Hey, I've got this weird message on my screen that says I can't reach the database or the system error number, and I call it, it spends some time anywhere from 40 minutes to two hours on average. And they discover you've got ransomware. Meaning that either one or all in some cases of your EHR or supportive systems have been ransom. That is, they have been encrypted. You can't get to them or use them until you pay somebody some Bitcoin or other cyber currency or cryptocurrency to unlock those. Well, here's what I would tell you When you call us, we would say call your lawyer. So with that, I'm gonna let Betsy start the conversation cause that's the first call that we would make and we recommend anybody makes, make sure you call the attorney first.
Speaker 3:Well, thank you for that plug, Barry<laugh>, I appreciate it. Um, yes, you should call your lawyer and I to elaborate on Barry's point, you should identify your, the lawyer who would assist you in the event of a data incident before you have a data incident. Um, just and to further follow up on that point, you should identify all of the vendors that you're going to need to assist you with a data incident before you have the incident, because it can take some time, precious time to try to negotiate, um, those engagements, um, when you, when your business is locked down. And every second can count in trying to get you one figure out what happened, what you're going to do, and get you back up online. So, um,
Speaker 2:Betsy, it, it
Speaker 3:Also, and another important, oh, I'm sorry Barry, go ahead.
Speaker 2:It almost sounds like they were to have a plan. Am I right? I mean, it's a lot of things. Maybe what we're saying is you should actually have a plan to respond to this type of event.
Speaker 3:That's exactly right. Barry, you should. Um, and I do wanna mention one other very important call, and this ties back into your plan in case you have an incident, is to know who your cyber liability carrier is and to have their number on speed dial in the event you have an incident. And, um, to go further with the plan, um, piece you should know with your cyber carrier what assistance they will provide in the event of an incident. Um, and you should know what your responsibilities are under the po under the policy before you have an event. Um, are they supposed to be your first call? Will they provide you with incident response counsel? Will they provide you with, uh, forensics team to assist you in iden identifying what's happening, um, and how to, uh, mitigate any harm? So, um, you should have a little phone list of, um, all the important people to call in the event of an emergency. So, and I would, and that should be part of your plan. It
Speaker 2:Should be part of the plan. So we, we know the topic is you've been hit with ransomware, now what? But let's give us two or three minutes to back up. Let's talk about the plan. Mm-hmm.<affirmative> for a second. You heard Betsy talk about the call list, which is absolutely part of the plan. You heard Betsy talk about the vendor's list, which is an absolute part of the plan. And not just a vendor's list, but you know, uh, hopefully your organization or the organization that you either support or as a client of yours has completed a business impact analysis. And your incidents response should tie to that business impact analysis. Obviously, in a hospital, that primary emr, everybody gets that. If, if Epic down or SIRS down or meditechs down or Allscripts down or CPSI down, whatever it is, they're gonna want that back up fairly quickly. But a lot of these systems simply won't work the way they did before. If some of the other ancillary systems that feed into those do interfaces don't work. So make sure that interface piece of it is part of that plan. But in your call list, I would include get to know your regional F B I. Um, we work with a lot of clients through some of our annuitized services. Uh, we have one called Overwatch that is kind of outsourcing your IT risk management that allows you to respond quickly as part of that program. And, and we in, we insist that our clients have some kind of face-to-face or if not video conference with both their, their regional and even their local field office for the F B I. You don't want your ransomware response should you get attacked that way to be the first time you talk to'em. There's a lot of questions and you don't know each other. And they're gonna ask for things upfront. They're gonna ask for the data. Are you logging your data? And we're gonna talk about that as we go forward about the ransomware. But absolutely have a plan. Complete your risk analysis. Uh, you know, we have the recent, we'll call it a wave. I think there's several publications, call it a wave. It was as a, you know, as a result, CSA updated their advanced persistent threat, um, notification on, uh, the req virus or req, however you wanna pronounce it. And, uh, the ransomware and, and you had, you know, I think it was University of Vermont Health is just now reporting a month after they got hit, they're coming back up. I think Skyla or Skyline Rather Medical, they, they took them two months to finally come back up. And it wasn't that it took them two months to get their primary, it was two months to get all those ancillary systems tied in. So that plan going forward, uh, to be able to respond quickly is so, so important. But now, Betsy, we've got it. We, uh, how do you suppose that got in? What's your guess you and I working in this industry, if we had to put money on it, what's your guess? How did that, that ransomware get into our facility?
Speaker 3:I am going to go out on a Lin Berry and I am going to say a phishing email
Speaker 2:Exactly,
Speaker 3:Uh, was yes,
Speaker 2:It is the number one. And, and I don't care what periodical you read or what, what, uh, specialist you talk to. The absolute number one way, the vulnerability to get any type of malware, especially into a hospital or any facility, is through a business email compromise. Someone clicked on something they should not. Now, what a lot of people don't know about this recent wave of attacks is there were a lot of people who were not affected. In other words, they had good server patches, they had good, um, behavioral based endpoint protection that was able to stop the first wave of that attack, which then resulted in bringing in the ransomware. Uh, but there were some that had a few holes in gaps there. And the number one hole is unpatched systems, old legacy systems sitting open on the network. Um, and people tend to, to focus on that hardened shell, the firewall. There's not many attacks these days that you hear about that got through the firewall. They got through because Barry was in the middle of the lunch. He was reading emails while he was trying to do work, and something came across and he clicked it. And sure enough, it launched a piece of malware, which then launched another piece of software that brought the ransomware in. So you are right, business email compromised. So somebody clicked it. Now our servers are locked up, our first calls to our lawyers. Now you mentioned earlier, Betsy, and I'll, I'm gonna turn the microphone back over to you, that the cyber insurance, and, and you and I have talked about this before, how important that is. Mm-hmm.<affirmative>, there are so many people that don't find out what their cyber insurance truly covers until they need the insurance. And, and to find out there are some cyber insurance policies. The underwriter requires you to call their attorney first, even before you call in house counsel or before you call anyone else. So I'll, I'll let you talk about that a little bit. Cause that's an extremely important part. And that's right in your wheelhouse that cyber insurance, the exclusions and, and how you interact with those attorneys and how it could be good or bad outcomes.
Speaker 3:So thank you Barry. And as I mentioned before, you should, as part of your planning, you should know what your cyber insurance require requires of you in the event of an incident. And you should have that mapped out as part of your incident response plan. So every, so that when something happens and everybody is scrambling trying to figure out what's going on, you don't forget to contact your, uh, cyber carrier because you don't want them to be able to say later on, you didn't timely notify us, there is no coverage for this incident. Also, it, you should understand the conditions of the coverage, as Barry mentioned. Are you required to use, um, their panel counsel, um, to assist you, uh, with the incident response? Are you required to use their forensic vendor panel to assist you in responding? And if and the time, if you would like to use someone other than who is on the panel, either counsel or, um, the forensic vendor, the time to try to negotiate for the lawyer or vendor of your choice is before something happens. Um, and you may be able to do that as, um, part of negotiating the coverage for your policy. So understand what's required of you, um, and then timely, um, make those contacts, uh, so you don't, um, forego coverage because you forgot to make a phone call.
Speaker 2:So, so I'm gonna throw something controversial and I'll use a real world example because, and, and, and, and here's the thing. You know, we work with insurance companies and, and I'm often asked and talk with, uh, underwriters and insurance companies in, in different circles and, and they understand my position on this and I understand their position, the job they have to limit their risk. Um, and, and I think the best way an insurance company can limit their risk is doing good due diligence upfront, which I know, uh, there was a shift, I wanna say about five years ago, maybe four years ago mm-hmm.<affirmative>, where you could renew your cyber insurance com pol policy by simply filling out a few questions and sending it on today, not so much. Uh, when you get that new insurance policy from Lords of London for your cyber insurance, there's pages and pages of it, stuff that you gotta fill out, support and bring in. And I think that's appropriate. I think that's the right thing to do. I think any underwriter has the right to say, before I sign on to cover you, I need to know, are you doing the basics? Have you done a risk analysis? Do you know where your E P I G is? Are, are you encrypting your devices? I'd like to know what your policy procedures are to be comfortable to even write the policy. Where it gets challenging for me is when an insurance company says, you have to call me first. And I'll give you an example. This was a, a former client in another life, uh, right before I came on p y a about five years ago that had a ransomware attack. It was a JBoss ransomware attack. They were down for several weeks, uh, cost them a lot of money in the very first call they made with their insurance company. And the insurance company sent in a forensic investigator. They sent a team of people, they set up camp there and they ran that whole event from one end to the other. Well, when this particular entity filed for some coverage, for some loss during that downtime, they had a significant denial in that because the insurance company pretty had pretty much had every piece of evidence they needed to say, you were missing some things here. You weren't doing what you're supposed to. So therefore, and I think that sort of thing is kind of privileged, you know, in these sorts of situations. I think if you have an in-house council or an an outside council that those are things that should come through discovery, not necessarily just kinda laid out there. So that's where I'm a I I push back a little bit and, and I understand the insurance company mm-hmm.<affirmative> And their liability and risk that are associated with it. But, you know, I'll throw throw that out there to you. Is it always best to have them there first? And I think the point you made is you may not have a choice if you negotiated a contract that says that, then you're throwing yourself under the bus if you don't at least, you know, adhere to that contract. And I'm saying early on, maybe when you negotiate your cyber insurance com policy and you're shopping around is that you leave the option that, you know, maybe you gotta hire a, an attorney that has specific in that and agree to it. But having your own attorney, I think is, is far more advantageous for an outcome than, than just using the insurance company's attorney.
Speaker 3:I agree that you should, you need to comply with what your policy says so that you don't, um,
Speaker 2:Violate
Speaker 3:Inadvertently for go coverage. But, um, absolutely, if you have outside counsel that you have been working with that advises you on, um, your cyber security, I absolutely reach out to them too. Okay. Um, and you know, some clients will even, they will call the f they will call law enforcement first, even depending on the circumstances. I now, they may not have called counsel first to, um, before making that decision. Um, so I mean it, you can't always say that we are in, we're going to call the carrier first. Um,
Speaker 2:Right. I
Speaker 3:Typical, I think most people call outside counsel or in-house counsel first. And
Speaker 2:I see a good
Speaker 3:Rule and then figure out how to proceed.
Speaker 2:I, I thank you. I say a good rule for anybody, Betsy, is, is call coun, call your counsel first and, and let your counsel things. Here's a copy of my cyber insurance policy for you to have and advise us on. And then secondly, Hey, I'm about to call the F B I, are you okay with that? And then listen to counsel's advice. I mean, that's it. Um, yes. Now I would say this, when I say call counsel and, and you and I talked about this just as recently as this week when I go to buy a piece of property or when I go to sell my property, I make sure I've got a good real estate attorney involved. I want a real estate attorney that's sold thousands and thousands of properties. So for that reason, that's, that's specifically what they do. If, if you're looking for counsel in or out, I don't, I wouldn't recommend my real estate attorney, you know, managing your breach. It's not gonna turn out well. And I certainly wouldn't, you know, recommend a, a counsel that's done one breach or that has two years experience in there. You're gonna need some experience in this area. Cause this is some very touchy ground. Um, and we're gonna get into here in a little bit even, you know, even things that, that people on this call are listening to this podcast may not be aware of in terms of the federal government giving guidance on, on foreign currency and how it affects the, the rest of, of the world. So, and whether or not you pay your rents and which we're about to get into. But, um, so Betsy, is that, is that something you a, a agree with in terms of, um, uh, the experience of the council? Does it, does it matter Or is, is a lawyer a lawyer?
Speaker 3:I, well, to your point, um, just like you would not use a real estate lawyer no matter how experienced that person was to assist you with a data breach, you know, nor would I, you know, use a, um, lawyer well-versed in, um, responding to data breaches, um, to do a large real estate deal. So yes, experience in the right area matters,<laugh>,
Speaker 2:Right? And, and in some cases they don't have that a lot of times, you know, um, and I know there's, there's, there's times where in-house counsel they kind of take the ball, but you, you should get involved. And, and if you are counsel, you know, uh, I've worked with a lot of different attorneys where, you know, in-house counsel simply brought in the specialist as co-counsel. And, and if so, in terms of planning, if you're an in-house counsel and you're listening to this podcast or you have an in-house counsel and you're listening to this podcast and you know, I mean, you do a gut check and you say, listen, this is not something that I wanna go cutting my teeth on. I've never done any of these. Then as part of that plan, I would also have that relationship with, with another co-counsel to say, if my client has a breach or if I'm the client, if my in-house counsel has a breach, I'd like for us to reach out to somebody that's got experience. It really matters in terms of how well the outcome is in, in, in the end. Uh, I, in my experience in watching this, this play out in several occasions. So, um, alright, so here's
Speaker 3:The, and Barry just, oh, I'm sorry. I was just gonna make one further point on that. For those entities that are public entities and have to go through an RFP process to engage outside council, you know, you wanna do that beforehand. Um, you know, to our point earlier, you should be thinking about all of this beforehand. So you have all of the key players lined up in the event you need them and not go trying to find them or engage them, um, after something happens.
Speaker 2:Time is of the essence in, in these situations. Yes. And a lot of the more sophisticated ransomwares, the bad actors have learned that they can apply the pressure by putting fuses on these. So you'll see the countdown on your ransom screen, your notes, it's a, it's an electronic, you know, screen in most cases that you would go to. And it'll tell you you have so many hours or days and, and then we're gonna destroy the data and you'll never get it. So being able to react quickly is very, very key. So all of this we've set up to so far is start now and either confirm you have this or start the diligence to get this kind of stuff in place and reach out to professionals to help you reach out to those that you're comfortable with. If you don't know anybody, call me. I'll be glad to point you to who I think is the best. And, uh, we'll, we'll get you started there. So now the, the next thing, let's, let's move into, we've got the ransom. There's two things happening. One, uh, and I'll save the best for last. Do we pay or not pay? Let's save that for the in. Cause that's always do, do I pay the ransom or not pay the, I've had so many, so many restaurant conversations around that. But let's talk about is it a breach? I mean, I've got a ransomware and right now, you know, OCRs kind of default messages. Well, of course it's a breach. You were supposed to protect it. You didn't protect it. It's a breach. But there are, you know, three provisions out there for us under the omnibus rule. And the third one of those says, if we can show and prove that whomever was exposed to this accidentally has, has not done anything with it. We don't expect anything bad to happen. They didn't exfiltrate it. And, and all that was gained was finances. In other words, we just paid them their million dollars and we were able to prove. Now I understand that there's a lot between that proof that goalpost is very, very, the distances are are long, but let's say we could, is is that an option for somebody to say, look, can I even fight this and say, I don't think I had a breach.
Speaker 3:I think you can in the right circumstances with the right documentation. And, and we've kicked this around, uh, Barry before, and I think not only do you have that third exception to the definition of a breach, but also in the, uh, ransomware guidance that OCR issued, in which it stated the default position that, um, a ransomware attack is a breach. Um, they do say that if you can, even if you don't fall in any of the three exceptions, if you do the risk assessment, the for perhaps more factor risk assessment, um, and can determine there's a low probability of compromise, um, then you may be able to take the position that a ransomware attack is not a breach. However, um, OCR R does require that the assessment that you do has to be thorough, completed in good faith, and you have to reach conclusions that are reasonable given the circumstances. And I think that ties back to the point you're making, that if you can document, if you have the proof, if you have the artifact that the data was not, um, compromised, was not exfiltrated, it, they just came in, they locked it down, they just want their money, you paid them, they released, they gave you the key, and they're out of your system. In that case, um, assuming you've got sufficient documentation and artifacts, you may be able to say, we did not have a reportable breach under OCR R'S definition,
Speaker 2:And you hit the nail on the head. That's the key. The artifacts, the evidence and ocr and rightly so. Uh, they're not gonna believe anything your IT department tells them. So you having your IT department write an extensive report, which, which basically comes up to conjecture. It says, we, we don't think there was a breach because we did all these things. That's not gonna work. For example, if you had a business email compromise and you're using Office 365 and you currently do not have your logging turned on for 365, there's, there's no way you're gonna be able to prove there was no exfiltration if they're, you know, if it was an email that sent it, that sort of thing. You're not logging, you're not tracking it. If, if you're not managing those ports, if you're not looking at the size and packets that are going across, if you can't say this is the average number and these are the locations that files are transferred to, and be able to show, you know, through an Estes station where you swear to the fact based on your reports and logs and add those logs in there, then that's the kind of stuff that OCR is talking about. In my experience, they're, they're not talking about someone describing the environment and, and talking about all the good things that they're doing and, and, and just filling out an affidavit, saying an affidavit saying, I guarantee you nothing left that's not gonna fly. They wanna see those artifacts. And I think that's key. What you, the point you made is absolutely key. And I agree with you, if you can do it, if you can do that, it's a, it's a rare thing these days because let's face it, you know, logging is overhead, you know, systems that do that kinda loggings additional money and, you know, healthcare, we, you know, we haven't tr you know, we haven't spent that kind of money in those areas. It's not a, it's not a high value in terms of the rest of the enterprise, um, by default. But again, maybe that's one of those things you put in your due diligence as you create your plan, you ask some basic questions. And that is, and you can ask'em at the macro level, Hey cio, hey, C t o, hey IT director, Hey ciso, if we had to prove without opening our mouths, if we duct taped our mouths and had to prove to anybody that we are tracking all of our information and we can tell you if something leaves this organization regardless of where it's going, could we do that? And if the answer is no, then you do an assessment evaluation. Because in sometimes, you know, in some cases the cost of doing that outweighs, outweighs, you know, some of the impact. But I'll just tell you, a system being down for two months, you know, uh, lakeside the system being down for a month, you know, Vermont, uh, that's a costly, a costly thing. Mm-hmm.<affirmative>, even with the cyber insurance, just so just on your community and your patients, that's a costly thing. So, so consider that. So let's, let's toss out the next big grenade. And that is,
Speaker 3:And Barry, if I Yeah, go ahead. I'm sorry. If I could, could I circle back on the point you were making about logging, um, and the cost benefit analysis of how much logging you do and for those, um, out there whose clients are currently doing logging great. But one thing to think about now is we're seeing that the ransomware attacks are changing, they're evolving. And so whereas before, you might have someone, you know, in the good old days where they were just interested in a relatively low level ransom amount, they would come into the system, not be in there very long, launch the ransomware, you pay the ransom, um, and they get out or you don't pay the ransom, but they move on to the next, uh, victim. But now we're seeing bad actors being in your systems for much longer before they launch the actual ransomware attack. And so you may need to think about, do you need to lengthen the window for the, your logging capability to be able to demonstrate should something happen, um, that the bad actors during that period of time, they were in your system before they launched the, ran the ransomware that they did not exfiltrate data. So that's, and that goes highlights another point that you need to constantly be aware of how the vulnerability, the threats are changing and you need to adapt your, um, defense and safeguards appropriately,
Speaker 2:Right? So you, you've exposed a whole nother thread. Let's pull on that one a little bit. I like this, the bad actors, the ransomware, it has evolved. It's not like it was before. They're, they're well organized. You've, they've got, they've all got mascots and names and some of them make sense when you say the panda advanced persistent threat group hackers, you think of China, and that's exactly who it is. North Korea's got one, by the way. North Korea has upped their activity here lately. They've got a lot of things going on and they all react differently. And that's one of the reasons you can reach out to the f fbi. You want to reach out to the fbi, they know all this stuff. They can look at your ransomware, they can look at the ransom note and know who's attacking you. And some great advice that the FBI I can give you early on is whether or not you can expect to get your keys if you pay the ransom, which we're gonna talk about paying the ransom at the very end. But these ransomwares that come in these days, they're not as easily detect behavioral based, uh, endpoint protection is a must. They'll come in fragmentations, they'll come in little bits of piece of software that may not detect a dictionary type endpoint protection, and they call other software in, much like the refi or ransomware did. They'll call these things in. So they're, it's not, it's not as easy to detect them as it was in, in the past. So from that perspective, they've all changed. And you're right, in most cases, the bad actors have been in there for quite some time. And, and they don't just sit there in the old days. They just sit there, let time pass to kind of throw you off the scent. They're active. And you know, especially if they detect that you're not doing a lot of monitoring, cuz they can look for certain evidence within your system that says, oh look, they have, you know, they have this type of monitoring system, we'll sit quietly. But if they don't see that, they'll move around inside the system. If they can find your backup and somehow, you know, mess with your backups and you're not checking those or testing the restore capabilities, one of the things they'll do is they'll sit and, and mess with your backup, uh, strings for months at a time. Because the first thing you're gonna do if you decide you're not gonna pay the ransom, is well, we'll just go ahead and start our restore. You go to do the restore and find out that there's been a corrupt file out there for two months and you're gonna have to go back three months to do a restore. And you're like, well, that's not an option. So now you're back to pay or not paying the ransom. So they're very smart, very sophisticated. They no longer simply do a hack. They do campaigns, and those campaigns involve multiple layers, especially for the big bad actors. You're talking about the dragons, the pandas, the spiders, and that's, you know, Russia and China, North Korea, um, South Africa and some other, or, or North Africa, some other places. So those, those folks are no longer, it's not a, it's not a, you know, 15 year old in the basement eating Twinkies and drinking Mountain Dew, you know, like it was in the eighties. It it is, it is corporate organizations that make a lot of money doing this. And to your point, if you haven't updated your response plan, if you, if you're, if you're sitting here in within the sound of my voice in this podcast and you say, well, Barry, we we did that four years ago. Okay, well, you need to look at it again because the environment's changed. You know, you may not, you may not have the same steps in there that, that, that can help you as much as the current. And, uh, talk to somebody about the current bad actors and the advanced persistent threat groups that are out there and update your, your policies, procedures, your plans around the reaction to a ransomware accordingly. Ready for the last grenade? We got a few minutes.
Speaker 3:Let's do it.
Speaker 2:All right. I'm a, I'm a former C cto O my job as a CIO is to keep that system up. I understand from the C F O and the C E O and the board of trustees, that system goes down. It, it's a bad thing. So when somebody says, tell me, you know, give me a million dollars or I'm gonna have your system down for three months, I'm writing the check. I mean, that's just, that's who I am. It's where I am. But I know that flies in the face of the F fbi. I, and, and Scott aba, I, I've got his book right here, the Secret to Cybersecurity, uh, wrote a great book and and he would argue with me because he towed the line for the F fbi. I, even though he's retired, it's a great guy. Um, and we've had these conversations, but still, if I'm the C I O and the hospital's gonna be down for months, and I can avoid that one, I'd wanna know who my, my attackers are, and I'd want the F B I to at least let me know that I'd wanna know what my chances are about getting my keys to unlock my data. For example, the one incident that I told you as, as part of an example earlier, that same hospital that had that, that ransomware attack when they were, when they eventually did pay their ransom and they got their keys, but they only got a portion. So let's say you had 500 systems affected and they give you 20 keys. Well, now you gotta prioritize what 20 do you bring? And then they went away, they didn't ask for anymore, they just went away and, you know, you had to deal with it. So you'd wanna know all that information, but at some point I'm gonna say, do I pay or not pay Betsy? But I think you've got some information on why, why that may not be a good thing from a, from a global standpoint.
Speaker 3:I, you're right, Barry. I the do you pay, do you not pay decision got a little more difficult to make. When, uh, on October 1st of this year, the Department of Treasury issued an advisory on potential sanctions risks for facilitating ransomware payments. Um, and in that guide, the advisory, the Office of Foreign Assets Control explains that companies that facilitate ransomware payments to cyber who happen to be on the OFAC sanctions list, those companies could face liability, strict liability for making those payments. Um, because those bad actors who have, are identified as being on the sanctions list, um, would then use that money to further their illegal goals. So there is now exposure, um, for companies who make the payments or who facilitates. So it's not just the hospital that has the ransomware attack, but if, um, anybody assists the hospital in making the ransomware payment, those entities also have, uh, potential liability under this advisory. Um, so it will be interesting to see if your cyber carrier will be as willing to make a ransom payment, um, or whether some of the vendors that assist in negotiating and making the ransom payment on your behalf, if they will be willing to do that. Um, one thing I do wanna note in the advisory is that, um, if you do make a ransom payment, one mitigating factor that, um, OFAC will take into consideration is did you immediately contact law enforcement about the ransomware attack before you made the ransom payment? And so, um, this might be, you know, another reason to reach out to local law enforcement once you have a ransomware attacked. Um, and in some cases, law enforcement has been able to tell the victim, based on the information you've provided us, we can tell you that this particular bad actor is not on the sanctioned list. So you could go ahead and make the payment and have some comfort that you wouldn't have, um, exposure under this OAC advisory.
Speaker 2:And, and there's other factors too. You and I, again, you and I have discussed this<laugh> on more than one occasion. Um, and, and you know, as, as a, if when I was a CIO for a hospital or a chief technology for a hospital system, that that was kind of where my loyalties, I've gotta keep this system up. Um, now as, as an advisor and a consultant within p y A, what we typically do is say, listen to your attorney because we're not attorneys, you know, we're business advisors. We can tell you the impact of the organization, we can advise you to do a business impact analysis. You know, we, we, we help clients with what does that ramp up look back, you know, look like coming back up with all those systems should you decide not to pay it, all these kind of things. But the attorneys are the ones that advise, pay or not pay. I, I would, I would say never let a consultant tell you to pay or not pay. There's, there's a lot of legal things that can happen there. Now, there, there's another part of this that, that people may not, you and I, you and I both know at least one case where a patient died and was attributed to the fact that the ransomware took the services out, the patient could not get services at one hospital and had to be transferred. And during the transfer, the patient died. And, and, and in that investigation, I think they said the patient might have had certainly an increased chance of living had they been able to be treated that hospital. So they, they, they put it on the ransomware. They literally said the ransomware was part of this patient's death. Not, not exactly what caused the death, but it certainly had an impact.
Speaker 3:That's right. And I think, um, and this case was in Germany, just, um, to let the audience know it did not happen in the us but that does not mean it could not happen in the us especially since we are in the middle of a pandemic. Um, and, you know, we are seeing increases all year. We've seen increases in ransomware attacks. And, um, you bring up a good point, Barry, that as part of, and we're circling back to response plans again, um, as part of your response plan, not only should you think about data security, but you also need to think about patient safety. If your systems were taken offline by a ransomware attack, um, and you have a full emergency room, um, because it's now flu season and we have a pandemic and just your normal caseload, what are you going to do with all those patients? Um, and what if several hospitals in your area were hit by ransomware at the same time? Where are you going? What are you going to do with these patients to be able to safely care for them? And so I think that needs to be a bigger feature of, um, especially hospital's, um, incident response plans going forward if it isn't already.
Speaker 2:Very good points. Very good points. Uh, the last thing I'll, I'll leave with is, is just a re recent update on some, some monitoring and activity on the dark web, listening to the forums of what's going on out there compared to what was happening during, you know, uh, March, January, February and March earlier in the year. Um, and then I'll, I'll turn it s ls u close it out for us with any final thoughts. But, um, you know, ear early on in the pandemic, you know, everybody was nervous that, that this is, we're gonna be, our security's getting relaxed a bit. Our posture's relaxed a bit, and we're gonna get attacked, you know, by these hackers. And, and what happened was there was actually a bit of honor among thieves as you, as you listened to, you know, some of the, uh, forums and, and watched those on the dark web in these areas that have the data auctions. And then even, you know, outside of those areas, just conversation. And what was evolving was people saying, look, you know, granted, we're the bad guys here, but we may need these services. It could be the very hospital that my family needs to go to, because again, these are bus a lot of these folks as, as hackers and, and these organizations, they're people with jobs just like anybody else they go to and they have families, they have houses, they have things to support. They're using a, a very immoral way to do it, but yet it's still their family. It's still the way they support them. So they were concerned about that. So it was, look, let's not attack, let's not bring down the very systems. Now the Ukraine violated that out of the gate. They brought down their children's hospital within just a month or so with a ransomware. But for the most part, that was, that actually happened. Everybody kind of settled down. But further in that conversation, say two or three months later, in the May, may and June timeframe, it was, well, if we're not going to attack, could we at least infiltrate and sit and wait and plan? And, and that was, oh, that's a great idea. There's money to be had here. So while we were still relaxed, they weren't executing the attacks, but they were, they were doing the infiltrations and sitting. And that's why those who aren't monitoring are likely more at risk than those who do diligent monitoring during that time. And, and we saw some people get, I think that's going to continue my personal opinion, Barry Math's opinion is that's going to continue. One from other conversations. Just as recently as this week, the, the conversation is the hospitals now have money. They've been, they've been handed stimulus money. They, there's a lot of conversation about Trump and what Trump's done, and these things that these hospitals handed buckets of money. Now, I'm not saying or agreeing with that, I'm saying that's what's being said in the dark web. And for that reason, these folks have been waiting, have said, look, now it's the time to go out there and do something about it. Now we've had a resurgence, at least in the US and some states. Um, we'll see how that affects it, you know, over the next month or so. But at least right now, I think they've, they're lifting that kind of, that honor among thieves ban, and they're starting to execute some of those attacks. They're not using very sophisticated methods right now. The, uh, the, the, the riot virus or the ransomware that hit is not a sophisticated piece of software. The software that called it in was fairly, um, you know, it's, it's been around for a long time. Uh, it's not quite as easy to use, but once it's in there, it brings in something like the Rio, which is again, a very, you know, not very sophisticated piece of ransomware, but very effective. So I think there's gonna be more of that, and I think it's gonna get, you know, more sophisticated. And I'm, I'm thinking there's gonna be one or two really big ones that are, it's a big giant wave. This I would consider a very small wave. What, what, what we experience in October, I think was a small wave. So my advice is start your diligence now. Create your plan. If, if you had a plan that's owed, revisit that plan. Know what you're gonna do when you get hit. Ransomware unfortunately is like those who ride motorcycles, they'll tell you there's two types of people who ride motorcycle, those who've laid one down, and those who will lay one down. Uh, I think ransomware is the same way. It's hospitals that have been attacked, and then there's those hospitals that will be attacked and not much else.
Speaker 3:Those are some very sobering thoughts. Barry and I have a few, um, to add, based on what we've seen recently. And picking up on your point about dusting off your incident response plan, um, that is even more important now, um, during the pandemic, because the pandemic has changed the way a lot of organizations work. Um, while many of the caregivers in health systems are still there working onsite day in, day out, a number of, uh, other functions have been working remotely. Um, and then other, um, entities in the healthcare space may be able to work remotely entirely. Well, that changes your, um, threat vectors and it makes people more susceptible to the phishing emails that launch these attacks. So, um, I would suggest looking at your incident response plan to see if it still works in the age of covid. Are all the people in that are on your incident response team? Are they still there? Um, we know that early in the pandemic, a number of institutions had to make a lot of layoffs. Um, so you wanna make sure that, um, you, your team, everybody knows who the team is and every, you know, the team can respond. Um, also consider whether your operations have changed and how they've changed because of the pandemic. And do you need to update your plan to address that? What if you have to respond to an incident remotely? Um, I recently worked on, um, an incident with a client that had to do that. Um, some things you may need to, to think about in a quarantine that, or the pandemic that you had not thought about before may include if you need boots on the ground to assist you with bringing your systems back up, can you get those boots on the ground? Um, because of the number of, um, cases, a lot of vendors who assist in this space have more work than they know what to do with. And so there can be issues in getting sufficient support, um, on the ground. Also, you have to think about how travel bans because of coronavirus or quarantine requirements related to coronavirus, may affect your ability to get boots on the ground in from other places. We ran into that, um, on a, a matter for a client recently had never thought that that might be an issue, but it was. Um, and so you've got to, you know, anticipate issues like that. Um, and then I think to your point about the phishing emails, it's so critical to continue with training your employees to be able to identify potential phishing emails and avoid them. Um, it's especially now when you have either people are working remotely and are stressed because of that, or they're in a busy, even busier work environment and are stretched thin. It's so important, um, that they not let their guard down about fishing emails and, um, because that is your first line of defense really, or, and maybe your last line of defense. Um, so it's important, um, that they be aware of that on top of everything else that they're dealing with. And I know that's a huge ask, but the training can really pay off
Speaker 2:It. It is a constant. It, it is a, first of all, I think you and I could do a whole nother hour or two or three on, on, on ransomware in, in the middle of the pandemic and covid. That would be such a good conversation. How do we actually go through this plan mm-hmm.<affirmative>, how do we do this? And what if the F B I says, great, but I'm not coming over there. Send me your stuff. You know, all these kind of things. But, um, on the email, you know, I am, I'm a, um, a realist when it comes to that. And that is, you're never going to prevent someone from clicking something. They, they shouldn't, you can drive the risk out, you can reduce it, but human beings are fallible. We do things that oftentimes we don't want to do. We do them by accident. That's part of our nature. Mm-hmm.<affirmative>, I think there is a responsibility to those who provide oversight and protection that you should expect, that you should have things in place. You should know that somebody's gonna click something like that. You should have the tools and things in the past. But having said, I mean, tools, tools in, in place to prevent or react to that, but knowing that you should stay on the, the training and education all the time. There should be flyers, there should be emails. There should be a good, the one of the best training tools out there is examples when you hear of an infiltration, uh, based on an email compromise, sharing that with your colleagues and, and, you know, don't let it be, you don't let it have us. That's some of the best work you can do. And it's, it's not a quarterly, it's certainly not an annual basis. It, it is a weekly kind of thing. I mean, a daily, in some places, the larger you are, the more susceptible and the higher your risk mm-hmm.<affirmative>. Um, but the business email compromise for, for at least the foreseeable future is going to be the vector we call it, that they're gonna come in for their payloads. So, um, well, Betsy, it's been great. Uh, I wanna thank, uh, a H l A for inviting us to, to sit and talk in this podcast. Betsy, thank you so much for, for joining me.
Speaker 3:And thank you, Barry. It was a pleasure as always.
Speaker 2:All right. I'll see you soon. Um, thanks again. H l a and, and everybody listening, um, get your plan together. It could happen to you.