Ban Ransomware Payments? HIPAA & HITECH Act Blog by Jonathan P. Tomes

The first death attributable to ransomware has reenergized the call to ban ransomware payments. An apparently misdirected ransomware attack against the Düsseldorf University Hospital in Germany that caused its IT systems to fail may have resulted in the first ransomware-related death, but German authorities are still investigating the incident. Germany’s senior public prosecutor, Ulrich Bremer, related:

A 78-year-old patient could not be transported to the intended university clinic in Düsseldorf due to the hacker attack but was driven to the neighboring Wuppertal. She may have died due to the delayed emergency care. Now the public prosecutor’s office in Cologne is investigating because of negligent homicide. As for the hacker attack itself: After the police had informed the hackers, who allegedly came from Russian-speaking countries, about the wrong sender, the perpetrators sent a digital key to unlock the server.

The ransomware gang had pledged not to attack hospitals or medical facilities during the COVID-19 pandemic. See Steve Alder, HIPAA Journal, “Hospital Ransomware Attack Results in Patient Death,” at https://www.hipaajournal.com/hospital-ransomware-attack-results-in-patient-death/.

In the United States, the federal government has already effectively banned some ransomware payments. Early this month, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory, available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf, declaring that facilitating ransom payments for anyone on “OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria)” would likely be violating OFAC regulations. If a victim violates these sanctions, penalties could vary from civil penalties and fines to criminal charges.

The Department of the Treasury outlined the rationale for this ban as follows:

Ransomware Payments with a Sanctions Nexus Threaten U.S. National Security Interests

Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.

Department of the Treasury, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, October 1, 2020, at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.

That is certainly a double kick in the behind—being out of the ransom paid and then facing a civil fine or a criminal conviction with its attendant penalties. And how many health care professionals know of this list effectively blocking some ransomware payments?

Determining who is on the list is apparently not easy. The former director of the United Kingdom’s Cyber Security Center said recently, “If a victim pays a ransom to someone subject to U.S. Treasury sanctions, that’s unlawful.” First, there’s a practical point: How are you supposed to know whether your attacker is on the U.S. sanctions list? And second, what’s the policy outcome here? Why is it OK to pay someone who isn’t on the U.S. sanctions list, a ransom for a criminal act of extortion?”

And even if you access the list, how do you know that the ransomware cybercriminal is on it? The gang is hardly going to send you a name and address where to mail the check. Maybe a very good cybercrime investigator could figure it out, but that may take more time than you have with your electronic health record and all other electronic systems locked down until you pay the ransom.

Banning all ransom payments would certainly stop this problem. It wouldn’t matter whether the ransomware gang were on the SDN list or not. But would a total ban be wise? Yes, it might cut down on ransomware attacks. One expert thinks that it will:

“Organizations are currently providing cybercriminals with a multi-billion dollar revenue stream―which is entirely funded by the public, albeit indirectly―and it makes absolutely no sense to permit this situation to continue,” the commentary read. “The best way to protect organizations from ransomware attacks and to protect individuals from the consequences of those attacks is to make it illegal for organizations to pay ransoms. This would stop the attacks, and stop them quickly.” Emsisoft Malware Lab, Blog, “Enough is Enough: Woman’s death highlights the need for a ban on ransom payments,” September 1, 2020, at https://blog.emsisoft.com/en/36948/enough-is-enough-womans-death-highlights-the-need-for-a-ban-on-ransom-payments/.

Another expert thinks that a ban won’t stop ransomware attacks: “I don’t know that [banning ransom payments] is necessarily an answer,” he said. “I was thinking about this the other day: If we make ransom payments illegal, as a cybercriminal I’ll just charge you a ‘consulting fee.’ It’s not going to be an extortion payment―it’s going to be a consulting fee to help you get your network to its previously operating condition. Or I’ll just use intermediaries or shell companies or whatever. There are ways around that legally, and they’re criminals―they don’t care. They’re already breaking one law; they don’t care if they’re breaking a second law.” Sophos senior security advisor John Shier, quoted in Albert Culafi, TechTarget, Search Security, “Should ransomware payments be banned? Experts weigh in,” October 8, 2020, at https://searchsecurity.techtarget.com/news/252490335/Should-ransomware-payments-be-banned-Experts-weigh-in.

Cybereason CISO Israel Barak believes that, instead of banning ransomware payments, a standardized series of guidelines for organizations to follow could be more effective. ‘While the negative implications of ransom payments are well known―we’ve been discussing them for years, there’s nothing new, we all know why it’s bad to pay ransom―I think categorically banning it and taking away professionals’ discretion in this manner can actually have a boomerang effect,” Barak said. “I think we need professionals to have the ability to weigh the pros and cons in each specific case, and decide based on a generally agreed-upon criteria what the right thing to do is. I think instead of categorically banning it, we need to establish guidelines and norms that professionals in the space will be educated to follow and adhere to.” Id.

As a health care attorney, consultant, and former prosecutor, defense counsel, and judge, with significant exposure to criminal cases, I agree with the second expert that a ban will not eliminate ransomware attacks. And significant risks to health care operations and to patients certainly exist if ransom payments are banned. Could a clever ransomware gang, knowing that they would not receive a ransom payment still lock down the system of a publicly-traded health care company and short its stock because shareholders would sell, causing the price to drop, and profit that way? So let’s leave whether to pay a ransom up to the professionals (with expert legal, technical, and/or law enforcement input as needed).

Although not exactly guidelines and norms, the Veterans Press sample Ransomware Policy (available to premium members―if you are not a premium member, email jon@veteranspress.com for a Word copy) would come close and make it difficult for the HHS Office for Civil Rights (“OCR”) to sanction you for willful neglect if you had a ransomware breach.

To update that sample policy, add the following:

In the Assumptions portion:

  • Some ransomware payments are illegal under federal law, which carries civil and criminal penalties.

At the end of the Policy portion:

  • The [Security Officer][Other Official] is responsible for determining, if possible, the identity of the ransomware attacker and whether that person or entity is on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria) and so advising [management][other].
  • If not prohibited by federal law or other law or regulation, the [CEO] [Board of Directors] [Owner] [Other] will, after appropriate research and consultation, determine whether to pay the ransom after weighing the cost of the ransom against the harm that would occur if not paid.

Hopefully, you will never have to decide whether to pay a ransom, but, nonetheless, such attacks are only increasing currently, health care entities are primary targets, and you need to be prepared. You must include ransomware attacks in your risk analysis, have a policy on how to prevent and handle them, enforce the policy, and train your workforce members on the policy. Good security may prevent a damaging attack, and good backup may mitigate any harm. As always, thank you for reading my blog posts and buying our HIPAA compliance books and other tools at www.veteranspress.com, and if you have a ransomware issue, email me at jon@veteranspress.com.

On October 18th, 2020, posted in: HIPAA Compliance Blog by
seo by: k.c. seo