Last week’s massive ransomware attack should serve as a wake-up call that companies across all industries, including and perhaps especially the health care industry, must take the threat of global ransomware seriously.
The WannaCry attack reportedly crippled some of the computer systems of the U.K.’s National Health Service (NHS), forcing emergency room closures and the cancellations of patient appointments and medical procedures throughout the U.K., before spreading rapidly around the world to the computer networks of businesses and organizations in a variety of industries and regions.
The attack on the NHS echoed attacks in early 2016 on U.S. healthcare providers, including the February 2016 ransomware attack on the Hollywood Presbyterian Medical Center in California, which was forced to pay hackers approximately $17,000 in bitcoins to restore access to patient data and computer systems. The WannaCry attack comes after the July 2016 announcement by the Department of Health and Human Services Office of Civil Rights (OCR) that it will consider ransomware attacks to constitute potential breaches of the Health Insurance Portability and Accountability Act (HIPAA) if confidential patient data is compromised, adding the prospect of enforcement actions and penalties for health care providers who find themselves to be the victims of ransomware attacks.
In a recent Clients & Friends Memo, we examine the nature of the threat posed by ransomware, what happened in the WannaCry attack, and three key lessons that have emerged for all businesses seeking to protect themselves:
- First, as ransomware attacks continue to be successful, they will increase in frequency and scale.
- Second, the WannaCry attack might have been prevented if companies had been more diligent about implementing basic cybersecurity practices, such as patching software vulnerabilities and training staff to detect phishing emails, i.e., emails that appear legitimate but contain links or files that deploy computer viruses if opened.
- And, third, companies that fail to take reasonable measures to prevent attacks might find themselves to be the subject of costly regulatory enforcement actions or private litigation.