Posted on by awakenwfu

Under the Knife: Dissecting Cyberattacks in the Healthcare Industry Introduction 

Lily Drake, Wake Forest University School of Law JD ’25

Robert Mueller, former Director of the FBI once stated, “There are only two types of companies: those that have been hacked and those that will be.”1 It is anticipated that global cybercrime costs will grow by 15% over the next five years totaling $10.5 trillion by 2025.2 As if this data were not concerning enough, hospitals and healthcare entities are being targeted with cyberattacks at record rates,3 a trend that intensified during the COVID-19 pandemic.4 This is an issue that needs to be resolved before something truly debilitating happens to the U.S. healthcare industry. 

One of the most common forms of attack against healthcare entities is ransomware.5 This type of malware prevents a user from accessing their device and the data stored on said device.6 It locks users out of their critical systems until a ransom is paid to the attacker. Ransomware is particularly detrimental to the healthcare industry because of the critical fast-paced nature of patient care and the sensitive patient information stored. Among other issues, ransomware has implications regarding the Health Insurance Portability and Accountability Act (HIPAA).7 Cybercriminals can access patient social security numbers, addresses, sensitive diagnoses, and medication prescriptions and dosages.8 As it stands today, there is little legal recourse for hospitals and healthcare entities who are targeted. Not only has this resulted in adverse patient outcomes, but attacked hospitals and healthcare entities are often subject to litigation because of the privacy concerns surrounding HIPAA violations. 9

In 2023 the Biden Administration announced a national cybersecurity strategy.10 This announcement called for the defense of critical infrastructure, disrupting and dismantling threat actors, and increasing security and resilience.11The year prior, President Biden also signed the Better Cybercrime Metrics Act (“BCMA”) into law.12 This new law established requirements to improve the collection of data related to cybercrime. 13 It emphasizes stopping cyberattacks and promoting transparency and cooperation among government entities and victims of cybercrime.14

While this is a step in the right direction, the BCMA does not address the cybersecurity issue healthcare entities face. If they are the target of an attack, they are either forced to go without critical technological functions or face consequences from the Department of Health and Human Services (HHS) due to a HIPAA violation. This puts healthcare providers in a precarious position. 

This is a situation unique to the healthcare sector. Typically, when an organization is hit with ransomware, it attempts to access data backups, contact a cybersecurity team, and begin the process of eradicating the ransomware.15 These data backups need to be stored in a separate system from the main system so that when the primary one is compromised, the backup is still viable. 

The 3-2-1 rule is meant to solve this problem. This method involves creating a minimum of three backups of data, in two different forms of media, and one copy offsite.16 According to Apricorn’s 2022 Global IT Security Report, however, fewer than one in five organizations are following this rule.17 While the data is not specific to healthcare entities this is still a troubling trend. If a hospital is not utilizing the best data security practices and falls victim to a ransomware attack, it becomes that much harder to mitigate. 

An additional issue arises with how healthcare entities operate. Providers need access to patient medical history and individual chart information. If patient data is not backed up properly or cannot be accessed quickly, hospitals will not be able to provide care to patients.18 Fast recovery of data is essential in this industry which leads to many hospitals simply paying off the ransom, but there is no guarantee that all of the data will return.19 This leads to patients not being able to receive care in a timely manner and directly contributes to adverse healthcare outcomes. 

This is a concerning cycle that the healthcare industry finds itself in. The first section of this paper will discuss the origins of ransomware, the seven phases of a ransomware attack, and previous cyberattacks on hospitals. The second section of this paper will discuss the ramifications of these attacks, how HIPAA ties into this issue, the international response to healthcare cybercrime, and the U.S. response. The final section of this paper will discuss the implications of cyberattacks on healthcare entities, and potential solutions. 

The Origins of Ransomware 

Ransomware is at the heart of most attacks aimed at healthcare entities, so it is imperative to understand how it originated. One of the first ransomware attacks ever documented was the AIDS trojan that was released via floppy disk in 1989.20 Victims’ computers appeared normal until they were locked out of all functions. To regain use of their computers, they needed to send $189 to a P.O. box in Panama.21

As society ushered in the twenty-first century, ransomware was still utilized but not on a widespread basis. This mode of cyberattack did not gain prominence until the emergence of cryptocurrencies in 2010.22 Cryptocurrencies provide an easy means of receiving instantaneous payments while maintaining anonymity and transacting outside of vetted financial institutions.23 Furthermore, ransomware emerged before the development of formalized Internet law24 which makes finding feasible solutions extremely difficult.  

The Seven Phases of a Ransomware Attack 

There are seven discernable phases in the timeline of a ransomware attack. The first phase is the reconnaissance and target selection step.25 During this phase the malicious actor identifies potential targets for a ransomware attack. They consider factors such as a lack of security awareness, inadequate patch management, lack of monitoring, and weak access controls.26 All of this boils down to a lack of monitoring in the digital environment. A lack of monitoring can be due to a lack of adequate cybersecurity professionals, oversight, or ignorance of cybercrime. 

Once the attacker has identified a target, they move on to phase two. This is the initial access phase. This is the critical stage where threat actors attempt to gain initial access to an organization’s network and systems.27 This takes the form of phishing emails, exploit kits, and vulnerable software.28 IBM estimates that the click rate for the average phishing campaign is nearly 18%, with more personalized attacks being more successful.29

The third phase is lateral movement and privilege escalation.30 Privilege escalation is when an unauthorized user with access to the network gains more and more access to the data environment.31 This occurs after access has been gained in the targeted network. Threat actors move through the network to locate valuable data, critical systems, and potential targets for encryption.32 The increased privilege leads to issues of eradicating the ransomware. As it is further embedded into a system it becomes harder to eradicate. 

The fourth phase in a ransomware attack is the deployment of the ransomware payload.33 This phase involves the encryption of the victim’s files and the subsequent demand for a ransom payment.34 Ransomware can be thought of as having several different categories at this point. While they are all forms of malware, they each operate a bit differently. The first type is encrypted ransomware. This ransomware searches for and encrypts files, followed by, a message being displayed asking for payment in exchange for the hidden files.35 Non-encrypting ransomware locks access to a target’s machine until the victim pays for it to be unlocked.36 Leakware (or Doxware) does not block access to the victim’s information, rather it silently collects information and uses it to blackmail the target.37 Mobile ransomware targets mobile devices such as phones and tablets. The value of this attack mainly lies in the value of the mobile device itself and not necessarily the data it hosts.38

Phase five is considered the encryption and impact phase.39 The ransomware deploys sophisticated encryption algorithms to lock the victim’s files and render them unusable. The consequences at this point are serious, with data loss and corruption, financial losses, reputational harm, and legal ramifications all possible.40 

The sixth phase is extortion and communication. At this stage, the malicious actor establishes contact with their victim and begins extortion. They typically ask for Bitcoin payments and set specific deadlines for performance.41 Blackmail is also common at this point. If the victim has proprietary data that they do not want released the threat actor will leverage that against the victim. The victim must realize paying the ransom carries no guarantee of decryption. Additionally, paying the ransom may be illegal or at the very least contribute to funding further illegal activities. 

Finally, phase seven occurs at the victim’s organizational level. This is the recovery and mitigation stage.42 Victims begin the arduous process of containing the affected systems to mitigate the ransomware’s impact. In some cases, decryption of the data is possible meaning the victim can retrieve their data. If not, then the long process of rebuilding begins. If current trends persist, ransomware is here to stay. It is one of the most prevalent types of cyberattack accounting for 10% of all such attacks in 2021.43 The average ransom demand has increased 144% to 2.2 million dollars, while payments rose 78% between 2021-2022.44 As long as organizations are held hostage, they think they have no choice but to pay. This, along with the anonymity involved, incentivizes ransomware perpetrators to continue to attack. Every industry is vulnerable, but the healthcare industry is one of the most endangered. 

This portion explored ransomware in depth. While not every cyberattack against a hospital is ransomware, it is one of the most disruptive types of attacks and therefore relevant to a broader discussion relating to cybersecurity. The focus will now shift to previous cyberattacks and analyzing how destructive threat actors can be. 

Previous Cyberattacks on Hospitals 

The vulnerability of the healthcare industry has been showcased several times within the past few years. One of the most notable breaches was that of HCA Healthcare (“HCA”).45 HCA is one of the largest healthcare companies in the U.S.46 In July 2023 over 11 million people were impacted by a data breach.47 Patients in twenty states including California, Texas, Florida, and Georgia were affected.48 The hackers gained access to patient names, telephone numbers, date of birth, gender, patient service, and next appointment.49 While the HCA attack was not ransomware, it highlights how vulnerable our healthcare information is. The suspected hacker posted the stolen data online and attempted to sell it to extort HCA.50 The breach was reported to the Health and Human Services Office for Civil Rights (“OCR”) where it was determined that this is the third largest healthcare data breach to be reported by a HIPAA-regulated entity.51 

The aftermath of the breach was equally severe for HCA, and litigation soon followed. Morgan & Morgan P.A. investigated claims for individuals impacted by the breach.52 Plaintiffs alleged that they faced emotional distress from this incident, and now face a lifetime risk of identity theft due to the nature of the data that was stolen.53 While it is unclear at this moment what the results of litigation will be, the attack illustrates the vulnerability of the country’s largest healthcare providers and how cybercriminals are willing to extort them for profit.  

Similarly, on January 24, 2024, Ardent Health Services (“Ardent”) filed a notice of data breach after discovering that it was targeted with a ransomware attack.54 Three months prior, Ardent personnel discovered they were locked out of crucial systems, indicating that a ransomware attack was underway.55 It responded by securing its network and launching an investigation with a third-party cybersecurity specialist.56 The attack resulted in a temporary disruption of Ardent’s clinical and financial operations.57 This disruption caused delays in patient care and forced some hospitals to reschedule elective procedures.58

This attack illuminates the disruptive capabilities of ransomware attackers. The attackers purposely waited until Thanksgiving Day to attack Ardent hoping to take advantage of the holiday when fewer security employees were likely to be on duty.59 Despite the attack being discovered and mitigated relatively quickly the attackers were still able to copy documents containing confidential patient information.60 The information leaked may include name, address, phone number, Social Security Number, medical treatment information, and health insurance information.61

This trend has not slowed in 2024. On February 21, 2024, a UnitedHealth Group subsidiary, Change Healthcare (“Change”), reported a cyberattack.62 Change processes 15 billion healthcare transactions annually and touches 1 in every 3 patient records63 making this cyberattack all the more alarming. A Russian-based ransomware group AlphV (a.k.a BlackCat) claimed responsibility for the attack and touted the fact that it stole more than six terabytes of data including sensitive medical records.64

This attack has been particularly disruptive. For nearly two weeks hospitals had difficulties providing patient care, filling prescriptions, submitting insurance claims, and receiving payments for essential healthcare services.65 Two services were especially impacted by this attack: electronic payments and medical claims.66 This caused a substantial loss of revenue for Change Healthcare and those that rely on it for payment services.67 It is rumored that Change paid $22 million in ransom to AlphV.68 Paying off the ransom is concerning to cybersecurity experts because, if ransomware perpetrators continue to find healthcare entities profitable, the attacks will only intensify.69

Ramifications of Attacks 

Cybersecurity breaches will never be completely eradicated however different sectors face different challenges when it comes to being compromised. The healthcare industry is unique as it holds a position of trust in our society.70 Thus, when its vulnerabilities are exposed via a cyberattack public trust is eroded.71 Researchers conducted a study on the effects of cybercrime on society after a ransomware attack befell a hospital in Dusseldorf Germany.72 The cyberattack was broadcast through German media and a subset of residents were surveyed on their thoughts.73 This particular cyberattack elicited strong emotional responses and a distrust in governmental bodies to defend against future incidents.74 While a study like this has not been conducted regarding a U.S. cyberattack75 considering the numerous lawsuits against healthcare entities76 and the loss of public trust after Covid-1977 it is not a stretch to assume the results would be similar in the U.S. A lack of trust in an industry as vital as healthcare is alarming. This has the potential to lead to worsening healthcare outcomes for the American populace.78 A lack of trust in healthcare means individuals are less likely to seek vaccinations or engage in preventative care such as check-ups or dental visits.79 This leads to an unhealthier society based solely on a lack of trust, not a lack of access. 

The financial impact of these cyberattacks also cannot be overstated. 94% of hospitals report financial impact, with more than half reporting significant or serious impact.80 Of the 82% of hospitals that reported impact to their cash flow, more than 33% report impact to above half of their revenue.81 These issues are even further illuminated when considering rural hospitals. A study measured the impact of hospital operations after a ransomware attack. They found that emergency room visits fell 10% after a cyber incident.82 Travel time and distance to a non-impacted hospital was 4-7 times greater for rural ransomware-attacked hospitals than for urban ransomware-attacked hospitals.83 This illustrates the negative financial impact on both rural and urban hospitals. The monetary impacts can be more devastating for rural hospitals because they do not have as many sources of revenue.84

According to Comparitech, a cybersecurity research firm, ransomware has cost U.S. healthcare organizations $77.5 billion in downtime.85 Furthermore, paying off the ransom itself can be costly. Even though cybersecurity specialists do not recommend paying the ransom86 many hospitals feel compelled or freighted into doing so. The average ransom rate last year was $1.54 million.87 This means hospitals not only have to deal with their own loss of revenue, but the potential loss of a large amount of money to potentially access their data again. Finances, however, are not the only issue facing healthcare providers. 

John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association stated, “it’s time to view these types of attacks, ransomware attacks on hospitals, as threat-to-life crimes, not financial crimes.”88 In addition to the lack of trust and loss of revenue perpetuated by cybersecurity attacks, these incidents directly contribute to the loss of lives. In 2020, one of the first reported deaths due to a cyberattack took place.89 A female patient was scheduled to undergo lifesaving care at a hospital in Germany when a ransomware attack disabled the hospital’s systems.90 The first hospital could no longer provide care, so she was transferred to a facility 19 miles away.91 She passed away en route to the new location.92 While this incident is touted as one of the first ransomware deaths93 that statistic may not be wholly accurate. Cybersecurity experts surmise that such deaths are more common than reported, but it is difficult to determine if any particular death is due to a delay or shift in care rather than the underlying medical issue.94 

There are similarly tragic stories in the United States. In 2019, a baby was born in an Alabama hospital with the umbilical cord wrapped around her neck, causing severe brain damage.95 Typically, nurses would have noticed a change in fetal heart rate and opt for a cesarean section.96 Unfortunately, the hospital was eight days into a debilitating ransomware attack that crippled its computer system.97 Nurses did not notice the fetal heart rate change. Under normal circumstances, this would be displayed on a large digital monitor at the nurses’ station.98 Tragically, the newborn baby passed away nine months after birth.99 This is a heart-wrenching example of the real-world consequences of cyberattacks on hospitals. Lost lives cannot be recuperated even with the payment of a ransom. 

HIPAA’s Role in Cyberattacks 

While the devastating impact of cyberattacks cannot be understated, there is yet another complicated layer when it comes to attacks on healthcare entities: HIPAA. The Standard for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established a set of standards for the protection of certain information.100 HHS issued the Privacy Rule to implement the requirements of HIPAA.101 Within the HHS the OCR has responsibility for enforcing this rule primarily through civil monetary penalties and training programs.102 The Rule protects all individually identifiable health information otherwise known as protected health information (PHI).103 Information that classifies as PHI includes the individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.104 This definition also includes common identifiers such as name, address, date of birth, and Social Security Number.105 Therefore, when a cyberattack steals any of this data, that makes the healthcare entity non-compliant, and a breach of HIPAA has occurred. 

There are specific ways an entity must proceed after a breach occurs. A HIPAA-covered entity must notify, in writing, any affected individual following the discovery of a breach.106 Notifications should avoid unreasonably delay and be completed no later than 60 days following the discovery of a breach.107 Depending on the severity of the breach, fines may also be incurred. These fines primarily fall into four distinct tiers depending on the conduct of the entity itself.108 Tier one: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.109 Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care.110 Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.111 Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.112 This tier system also creates a correlating fine structure.  

This graphic113 shows how costly it can be for hospitals to be targeted for cyberattacks. It is important to note that depending on the circumstances the OCR will waive fines if the entity is not able to avoid the breach and comply with all other reporting regulations.114 Even with this leniency, the OCR will still fine hospitals if they are not taking reasonable security measures.115

Green Ridge Behavioral Health (“Green Ridge”), a healthcare business based in Maryland, was fined $40,000 and told to implement a correction plan for OCR to monitor for three years.116 Green Ridge failed to have in place a thorough analysis to determine vulnerabilities surrounding electronic PHI, they also did not have sufficient cybersecurity monitoring to protect against a cyberattack.117 Unfortunately, Green Ridge is not an outlier, cyberattacks now account for 79% of the breaches reported to the OCR.118 

This leaves healthcare providers in a bind. Not only do they feel pressured to pay costly ransoms119 but they also have to contend with OCR fines. This is another layer of cost attached to being a high-value target to cybercriminals.120 Clearly, the United States needs a workable solution that does not harm healthcare providers but also does not incentivize cybercriminals. This paper will now explore how other nations deal with issues of privacy and cybersecurity.

International Response 

The European Union (EU) has one of the toughest privacy and security laws in the world through the General Data Protection Regulation (GDPR).121 The purpose of the GDPR is to enforce uniform data security laws on each EU member so that the EU achieves uniformity in its privacy enforcement.122 The GDPR exemplifies a broad “rights approach” where individuals own their personal information and presumptively have the legal right to control how it is used.123 Some of those broad rights include the following: access, correction, erasure, consent, data breach notifications, and employee training.124 While this is not the complete list the GDPR’s 99 articles emphasize the best cybersecurity and data privacy practices in addition to promoting consent and allowing individuals to have control over their information.125 It also calls for data protection officers and impact protection assessments, trained personnel should be monitoring data privacy compliance.126 While this law appears sound it has come under scrutiny. 

There has been some frustration surrounding the GDPR’s limitations.127 Regulators have to handle international complaints leading them to be bogged down by the sheer number they receive.128 The GDPR handed each EU country’s data regulator the ability to issue fines of up to 4% of a company’s turnover and mandate that they become GDPR compliant.129 This makes sense, the GDPR needs to be enforced. The problem, however, is that the total number of major decisions settled against powerful data companies remains agonizingly low.130 This is due to how the GDPR’s rules are structured. If a company operates in multiple EU locations the complaint will be handled in the country where its main European headquarters are based.131 This structure leads to a backlog in enforcement. Small nations like Luxembourg handle complaints against Amazon, and Ireland handles Meta’s Facebook, WhatsApp, and Instagram.132 The GDPR’s enforcement structure makes it difficult for these smaller nations to quickly handle complaints which contributes to the frustrations surrounding the GDPR.133 Despite its problems, the GDPR has also had a positive impact on data practices.134 

The GDPR has spurred top-level managers and board members to discuss privacy and view it as a priority.135 It has also enabled organizations to implement accountable privacy management programs leading to GDPR compliance.136 In some organizations, the GDPR has led to data privacy teams becoming more commonplace.137 These privacy professionals now have the ability to show how privacy can be helpful to business and company goals.138 

Overall, the GDPR has led to more conversations about data privacy, and it has given privacy professionals the forum to discuss best practices and ensure that if breaches occur, they are mitigated. This type of framework could help the U.S. healthcare industry. By having more transparent conversations and enforcement mechanisms the U.S. could be on its way to a more secure privacy landscape. 

U.S. Response  

As it stands right now, the U.S. has no federal privacy law dictating a uniform response to cyberattacks.139 Instead, we have a mix of laws like HIPAA, FERPA, FCRA, and GLBA to name a few.140 HIPAA for example, only covers communications between the patient and covered entities but does not cover things such as health data in a digital app.141 Some states have seen the gaps left by disparate regulations and have decided to enact their own privacy legislation.142

143 

16 states have some type of privacy legislation enacted.144 California was one of the first states to enact legislation pertaining to privacy.145 The California Consumer Privacy Act was made effective in 2020 and amended by the California Privacy Rights Act in 2023.146 This law is modeled after the GDPR in many ways.147 Californians now have the right to know what personal information is being collected, they have access to the personal information and may request that it be deleted.148 Other states have joined California such as Colorado and Virginia.149 Several states have privacy legislation set to go into effect soon such as Delaware (effective in 2025) and Indiana (effective in 2026).150 While data privacy laws are a step in the right direction the system is becoming a patchwork of laws that are complex to navigate and not always clear for multi-jurisdictional entities.151 This has led to calls for a uniform federal response akin to the GDPR’s uniform model in the EU.152 Tackling data privacy is a step in the right direction to tackling cybercrime. 

On May 6th, 2022, President Biden signed the Better Cybercrime Metrics Act.153 This Act prompts reporting of cybercrime to the Federal Bureau of Investigation (FBI) so it can build a database of cybercrimes as it does with other crimes.154 This database will help assist law enforcement agencies in tracking potential cyber threats and recovering lost assets.155 This is a step in the right direction however it does not address the threat to the healthcare industry. 

Federal law provides several approaches to combat ransomware specifically.156 The Computer Fraud and Abuse Act (“CFAA”) can be used to prosecute those who perpetuate ransomware attacks.157 On paper this sounds like a great solution however reality is not that simple. The process of bringing cybercriminals to justice is a complex process involving authorities from multiple jurisdictions which can take years.158 Meanwhile, ransomware attackers continue perpetrating attacks and evading prosecution.159 Matters are further complicated when attackers sit outside of U.S. jurisdictional bounds, which many do. Stopping them then becomes an exercise of international diplomacy.160 Coordination with foreign law enforcement entities can prove difficult.161 Certain ransomware groups, such as AlphV, sit in nations like Russia which makes cooperation even more difficult.162 Russian President Vladimir Putin has stated that he will only extradite criminals if the United States does the same.163 Due to prevailing geopolitical tensions, it is unlikely that Russia would cooperate in any handovers. Russia views cyberattacks as a means of sowing discord in the U.S.164 Ransomware is a lucrative business.165 If criminals know that enforcement is slow-moving and they can perpetuate hundreds of attacks before they are discovered,166 why would they stop? 

Solutions 

The first solution to dealing with ransomware attacks in the healthcare industry is to draft new legislation that directly addresses ransomware.167 Legislation discusses cybercrime generally, but it does not account for the nuanced issues that ransomware brings to the table.168 Ransomware attacks still need to be reported, if necessary, the disclosure can be private so other attackers do not make their own attempts.169 Under this solution, covered entities would not be open to fines automatically.170 Fines can still be utilized when there is an egregious failure due to human error or unsound cybersecurity practices.171 This solution is not without its own set of unique issues. There would have to be a delicate balance between patients’ interest in ensuring their data is secure and the interest of healthcare entities in not being harshly panelized for ransomware attacks.172 Legislation like the BMCA is a step in the right direction and acknowledgment by President Biden that this is an issue is helpful, but it does not go far enough in stopping ransomware.173 We need specific legislation to deal with a specific issue. 

A second potential solution could be the banning of ransomware payments. This is a complicated solution. On one hand, banning ransomware payments seems to make sense. After all, payments to ransomware groups provide the criminals with resources to commit additional crimes.174 Additionally, almost 78% of all organizations who paid a ransom demand were hit by a second ransomware attack, often by the same threat actor.175 Healthcare entities cannot afford to be hit once, much less multiple times by attackers. If they do not pay the ransom, they cannot provide patient care or financial services, if they do pay the ransom there is no guarantee their data will be unencrypted. Banning ransomware appears to solve this dilemma. There is no consensus in the cybersecurity world on the feasibility of this solution. The Institution for Security and Technology rejects the viability of a ransom payment ban because of concerns about driving payments underground.176 Most organizations, especially healthcare, have little in the way of cyber resilience and are under-prepared for ransomware attacks.177 Banning ransomware payments would not suddenly make threat actors stop, they would still attack knowing that cyberinfrastructure is weak, and some organizations may still pay.178 Opponents of this solution also point out the fact that U.S. officials decided previously not to impose an outright ban.179 If the United States strengthens its cybersecurity infrastructure and cryptocurrency exchanges that launder ransomware payments180 are dealt with, banning ransomware payments could be a feasible solution. 

Finally, there are steps that can be taken on an individual level. Healthcare entities should store their backups on separate decides that cannot be accessed through their network.181 If ransomware shuts down the main source of data providers can have these backups to rely on until critical systems are restored. Additionally, regular mandatory cybersecurity training should take place.182 Healthcare workers are more vulnerable to phishing attempts than others, they clicked one out of every seven simulated phishing emails when a study was conducted.183 By educating healthcare providers about cybercrime that can help prevent attacks. 

Even with the best training and well-informed employees, cyberattacks will occur.184 Hospitals need measures in place to mitigate the impacts of the attack while it is occurring. Hospitals need to ensure that all staff can shift away from electronic charts and rely on paper charts in the event of an attack.185 Employees should also be prepared to disseminate information throughout their workplace without the use of email in the event of a breach.186 These seem like simple solutions but through awareness and preparedness, the negative effects of a cyberattack can be mitigated. 

Conclusion 

Cyberattacks are going to be around for the foreseeable future. As long as healthcare entities hold sensitive information ransomware attacks are going to continue to happen. Fortunately, there are mitigation options for when attacks do occur. The United States is attempting to find workable solutions that do not amplify the problem. By having conversations about this topic and furthering the knowledge base of the populace every industry can be more prepared when faced with a cyberattack. Additionally, legislation can be enacted that deals with this issue. Cybercrime is not something that is going to be solved through one industry. It is going to take a concerted effort among cybersecurity scholars, legal scholars, and politicians if we want to see a real change. 

Bibliography

  1. Robert S. Mueller, RSA Cybersecurity Conference (2012). ↩︎
  2. Cybercrime to Cost The World $10.5 Trillion Annually by 2025, Cybercrime Magazine (2020). ↩︎
  3. Cyberattacks on Hospitals are likely to Increase, Putting Lives at Risk, Experts Warn, U.S. News and World Report (2024). ↩︎
  4. KPMG, The rise of ransomware during COVID-19 
    https://kpmg.com/si/en/home/insights/2020/05/rise-of-ransomware-during-covid-19.html ↩︎
  5. Ransomware and Healthcare, Health and Human Services (2024). ↩︎
  6. Id. ↩︎
  7. HIPAA Privacy Rule, https://www.hhs.gov/sites/default/files/privacysummary.pdf ↩︎
  8. Keeper Security, Why do Hackers Want Medical Records? (2024) 
    https://www.keepersecurity.com/blog/2024/01/11/why-do-hackers-want-medical-records/ ↩︎
  9. Compliancy Group, Lawsuits Increasing Following HIPAA Breaches (2022) 
    https://compliancy-group.com/lawsuits-increasing-following-hipaa-breaches/ ↩︎
  10. Biden-Harris Administration Announces National Cybersecurity Strategy (2023) 
    https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-a nnounces-national-cybersecurity-strategy/
    ↩︎
  11. Id. ↩︎
  12. Forbes, Biden Signs Bill to Create a Cybercrime Reporting System (2022) 
    https://www.forbes.com/sites/edwardsegal/2022/05/05/biden-signs-bill-to-create-cybercrime-reporting-system/?sh=4 ba24e1b1f9 ↩︎
  13. Id. ↩︎
  14. Id. ↩︎
  15.  IBM, How to handle a ransomware attack (2024) 
    https://www.ibm.com/blog/how-to-respond-to-ransomware-attack/ ↩︎
  16. Acronis, What is the 3-2-1 backup strategy? (2024) https://www.acronis.com/en-us/blog/posts/backup-rule/ ↩︎
  17. Apricorn, Annual Global IT Security Survey (2022) 
    https://apricorn.com/content/infographic/2022-IT-security-survey-whitepaper.pdf ↩︎
  18. The HIPAA Journal, Only One in Five Organizations Follow the 3-2-1 Rule for Data Backups (2022) https://www.hipaajournal.com/only-one-in-five-organizations-follow-the-3-2-1-rule-for-data-backups/ ↩︎
  19.  Id. ↩︎
  20. Crowdstrike, History of Ransomware (2022) 
    https://www.crowdstrike.com/cybersecurity-101/ransomware/history-of-ransomware/ ↩︎
  21. Id. ↩︎
  22. Id. ↩︎
  23. Id. ↩︎
  24. 23 Rich. J.L. & Tech. 1 ↩︎
  25. Flashpoint, The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle (2023) https://flashpoint.io/blog/the-anatomy-of-a-ransomware-attack/ ↩︎
  26. Id. ↩︎
  27. Id. ↩︎
  28. Security, The Psychological Warfare Behind Ransomware Attacks (2022) 
    https://www.securitymagazine.com/articles/98654-the-psychological-warfare-behind-ransomware-attacks ↩︎
  29. IBM, X-Force Threat Intelligence Index, (2022) https://www.ibm.com/downloads/cas/ADLMYLAZ ↩︎
  30. Flashpoint, The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle https://flashpoint.io/blog/the-anatomy-of-a-ransomware-attack/ ↩︎
  31. Crowdstrike, What is Privilege Escalation? (2022) 
    https://www.crowdstrike.com/cybersecurity-101/privilege-escalation/ ↩︎
  32. Id. ↩︎
  33. Flashpoint, The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle (2023) https://flashpoint.io/blog/the-anatomy-of-a-ransomware-attack/ ↩︎
  34. Id. ↩︎
  35. A Note on Different Types of Ransomware Attacks (2019) https://eprint.iacr.org/2019/605.pdf ↩︎
  36. Id. ↩︎
  37. Id. ↩︎
  38. Id. ↩︎
  39. Flashpoint, The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle (2023) https://flashpoint.io/blog/the-anatomy-of-a-ransomware-attack/ ↩︎
  40. Id. ↩︎
  41. Id. ↩︎
  42. Id. ↩︎
  43. Kuppingercole Analysts, Ransomware in 2022 (2022) 
    https://www.kuppingercole.com/blog/deshpande/ransomware-in-2022 ↩︎
  44. Id. ↩︎
  45. Arctic Wolf, The Top 18 Healthcare Industry Cyber Attacks of the Past Decade, (2024) https://arcticwolf.com/resources/blog/top-healthcare-industry-cyberattacks/ ↩︎
  46. CNBC, HCA Healthcare patient data stolen and sold by hackers (2023) 
    https://www.cnbc.com/2023/07/10/hca-healthcare-patient-data-stolen-and-for-sale-by-hackers.html ↩︎
  47. CBS News, HCA Healthcare says hackers stole data on 11 million patients (2023) 
    https://www.cbsnews.com/news/hca-healthcare-data-breach-hack-11-million-patients-affected/ ↩︎
  48. Id. ↩︎
  49. Id. “The hackers accessed the following information, according to HCA Healthcare: Patient name, city, state, and zip code. Patient email, telephone number, date of birth, gender. Patient service date, location and next appointment date” ↩︎
  50. Id. ↩︎
  51. The HIPAA Journal, 11.27 Million HCA Healthcare Patients Affected by Recent Cyberattack, (2023) https://www.hipaajournal.com/hca-healthcare-cyberattack-data-breach-2023/ ↩︎
  52. Morgan & Morgan, Morgan & Morgan Investigates Claims for Those Impacted by HCA Healthcare Data Security Incident (2024) 
    https://www.forthepeople.com/blog/morgan-morgan-investigates-claims-those-impacted-hca-healthcare-data-securit y-incident/ ↩︎
  53. Fierce Healthcare, HCA Healthcare hit with at least 4 class-action lawsuits days after disclosing massive data breach (2023) 
    https://www.fiercehealthcare.com/providers/hca-healthcare-hit-least-4-class-action-lawsuits-days-after-disclosing-m assive-data ↩︎
  54. JD Supra, Ardent Health Services Files Notice of Data Breach in the Wake of Ransomware Attack (2024) https://www.jdsupra.com/legalnews/ardent-health-services-files-notice-of-6194455/ ↩︎
  55. Id. ↩︎
  56. Id. ↩︎
  57. Healthcare Finance, Ransomware attack disrupts operations at Ardent Health Services (2023) https://www.healthcarefinancenews.com/news/ransomware-attack-disrupts-operations-ardent-health-services ↩︎
  58. SecureWorld, Cyber Attack on Ardent Health Closes 3 of its 30 Emergency Rooms (2023) https://www.secureworld.io/industry-news/cyber-attack-ardent-health ↩︎
  59. Id. ↩︎
  60. JD Supra, Ardent Health Services Files Notice of Data Breach in the Wake of Ransomware Attack (2024) https://www.jdsupra.com/legalnews/ardent-health-services-files-notice-of-6194455/ ↩︎
  61. Id. ↩︎
  62. CBS News, UnitedHealth says Change Healthcare cyberattack cost it $872 million 
    https://www.cbsnews.com/news/unitedhealth-cyberattack-change-healthcare-hack-ransomware/ ↩︎
  63. American Hospital Association, AHA Letter to HHS on Implications of Change Healthcare Cyberattack (2024) https://www.aha.org/lettercomment/2024-02-26-aha-letter-hhs-implications-change-healthcare-cyberattack#:~:text= According%20to%20Change%20Healthcare%2C%20the%20company%20processes%2015,clinical%20decision%2 0support%2C%20eligibility%20verifications%20and%20pharmacy%20operations.  ↩︎
  64. CBS News, UnitedHealth cyberattack “one of the most stressful things we’ve gone through,” doctor says (2024) https://www.cbsnews.com/news/doctor-describes-devastating-effects-unitedhealth-cyberattack-change-healthcare/ ↩︎
  65. American Hospital Association, CMS announces flexibilities in response to Change Healthcare attack; Schumer calls for additional action (2024) 
    https://www.aha.org/news/headline/2024-03-05-cms-announces-flexibilities-response-change-healthcare-attack-schu mer-calls-additional-action ↩︎
  66. CBS News, Biden team, UnitedHealth struggle to restore paralyzed billing systems after cyberattack (2024) https://www.cbsnews.com/news/change-optum-healthcare-billing-cyberattack-biden-administration-unitedhealth-res ponse/ ↩︎
  67. Id. ↩︎
  68. Wired, Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment (2024) https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/ ↩︎
  69. Id. ↩︎
  70. World Economic Forum, Healthcare pays the highest price of any sector for cyberattacks- that’s why cyber resilience is key (2024) 
    https://www.weforum.org/agenda/2024/02/healthcare-pays-the-highest-price-of-any-sector-for-cyberattacks-that-wh y-cyber-resilience-is-key/ ↩︎
  71. Id. ↩︎
  72. Journal of Information Technology & Politics, The hidden threat of cyberattacks undermining public confidence in government (2022) https://www.tandfonline.com/doi/full/10.1080/19331681.2022.2112796 ↩︎
  73. Id. ↩︎
  74. Id. ↩︎
  75. Id. ↩︎
  76. Bloomberg Law, Health Data Breach Class Actions Surge as Cyberattacks Climb (2023) https://news.bloomberglaw.com/privacy-and-data-security/health-data-breach-lawsuits-surge-as-cyberattacks-keep-c limbing ↩︎
  77. Harvard Business Review, 5 Steps to Restore Trust in U.S. Health Care (2022) 
    https://hbr.org/2022/09/5-steps-to-restore-trust-in-u-s-health-care ↩︎
  78. National Library of Medicine, Distrust of the Health Care System and Self-Reported Health in the United States (2006) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1484714/ ↩︎
  79. World Economic Forum, People have lost trust in healthcare systems because of COVID. How can the damage be healed? (2022) https://www.weforum.org/agenda/2022/03/trust-health-economy-pandemic-covid19/ ↩︎
  80. Id. ↩︎
  81. Id. ↩︎
  82. National Library of Medicine, What happens to rural hospitals during a ransomware attack? Evidence from Medicare data (2024) https://pubmed.ncbi.nlm.nih.gov/38494590/ ↩︎
  83. Id. ↩︎
  84. Id. ↩︎
  85. Healthcare Dive, Ransomware attacks on healthcare facilities cost $77.5B in downtime, report finds (2023) https://www.healthcaredive.com/news/healthcare-ransomware-costs-comparitech-77-billion/698044/ Downtime is when facilities are unable to provide services or are shut down between attacks. Some cause minimal disruption while others require months to recover. On average organizations lost nearly 14 days to downtime from ransomware attacks between 2016-2023. ↩︎
  86. FBI, Ransomware 
    https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/ransomware ↩︎
  87. Sophos, The State of Ransomware 2023 (2023) 
    https://assets.sophos.com/X24WTUEQ/at/h48bjq7fqnqp3n5thwxtg4q/sophos-the-state-ransomware-2023-infographi c-1200-1200px_2x.png ↩︎
  88. Politico, The mounting death toll of hospital cyberattacks (2022) 
    https://www.politico.com/news/2022/12/28/cyberattacks-u-s-hospitals-00075638 ↩︎
  89. MIT Technology Review, A patient has died after ransomware hackers hit a German hospital (2020) https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german -hospital/ ↩︎
  90. Id. ↩︎
  91. Id. ↩︎
  92. BBC, Police launch homicide inquiry after German hospital hack (2020) 
    https://www.bbc.com/news/technology-54204356 ↩︎
  93. Id. ↩︎
  94. The Washington Post, Ransomware attack might have caused another death (2021) 
    https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/
    ↩︎
  95. Id. ↩︎
  96. Id. ↩︎
  97. Id. ↩︎
  98. Id. ↩︎
  99. Id. ↩︎
  100. U.S. Department of Health and Human Services, Summary of the HIPAA Privacy Rule (2024) https://www.hhs.gov/sites/default/files/privacysummary.pdf ↩︎
  101. Id. ↩︎
  102. Id. ↩︎
  103. Id. ↩︎
  104. Id. ↩︎
  105. Id. ↩︎
  106. Northern Illinois University, HIPAA Breach Notification Rule: Explanation and Guidance https://www.niu.edu/doit/about/policies/hipaa-breach-notification-rule.shtml#:~:text=Individual%20Notice%3A%20 Covered%20Entities%20must,the%20discovery%20of%20a%20Breach.  ↩︎
  107. Id. ↩︎
  108. The HIPAA Journal, What are the Penalties for HIPAA Violations? 
    https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/ ↩︎
  109. Id. ↩︎
  110. Id. ↩︎
  111. Id. ↩︎
  112. Id. ↩︎
  113. Id. ↩︎
  114. Id. ↩︎
  115. U.S. Department of Health and Human Services, HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack (2024) 
    https://www.hhs.gov/about/news/2024/02/21/hhs-office-civil-rights-settles-second-ever-ransomware-cyber-attack.html ↩︎
  116. Id. ↩︎
  117. Id. ↩︎
  118. Id. ↩︎
  119.  Fisher Phillips, Ransomware Costs Businesses Record High $1 Billion in 2023: Your 5-Step Plan to Prevent Attacks in 2024 (2024) 
    https://www.fisherphillips.com/en/news-insights/ransomware-costs-businesses-record-high-1-billion-in-2023.html#: ~:text=2023%20was%20the%20most%20devastating,year%20was%20over%20%245%20million. ↩︎
  120. The Seattle Times, Why health care has become a top target for cybercriminals (2024) https://www.seattletimes.com/seattle-news/health/why-health-care-has-become-a-top-target-for-cybercriminals/ ↩︎
  121.  GDPR.EU, What is GDPR, the EU’s new data protection law? https://gdpr.eu/what-is-gdpr/ ↩︎
  122. Digital Guardian, What is the General Data Protection Regulation (GDPR)? Everything You Need to Know (2017) https://www.digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying gdpr-data-protection ↩︎
  123. Reuters, U.S. data privacy laws to enter new era in 2023, (2023) 
    https://www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era-2023-2023-01-12/ ↩︎
  124. Id. ↩︎
  125. Id. ↩︎
  126. Id. ↩︎
  127. Wired, How GDPR Is Failing (2022) https://www.wired.com/story/gdpr-2022/ ↩︎
  128. Id. ↩︎
  129. Id. ↩︎
  130. Id. ↩︎
  131. Id. ↩︎
  132. Id. ↩︎
  133. Id. ↩︎
  134. Id. ↩︎
  135. Centre for Information Policy Leadership, GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges (2019) 
    https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_report_on_gdpr_one_year_in_-_practition ers_take_stock_of_the_benefits_and_challenges.pdf ↩︎
  136. Id. ↩︎
  137. Id. ↩︎
  138. Id. ↩︎
  139. New York Times, The State of Consumer Data Privacy Laws in the US (And Why it Matters) (2021) https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/# ↩︎
  140. Id. ↩︎
  141. Id. ↩︎
  142. Id. ↩︎
  143. International Association of Privacy Professionals, U.S. State Privacy Legislation Tracker (2024) https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ ↩︎
  144. Id. ↩︎
  145. Bloomberg Law, Which States Have Consumer Data Privacy Laws? (2024) 
    https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/#:~:text=California%20led%20the% 20charge%20in,went%20into%20effect%20on%20Jan. ↩︎
  146. International Association of Privacy Professionals, U.S. State Privacy Legislation Tracker (2024) https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ ↩︎
  147. Varonis, California Consumer Privacy Act (CCPA) vs. GDPR (2023) https://www.varonis.com/blog/ccpa-vs-gdpr ↩︎
  148. Id. ↩︎
  149. Bloomberg Law, Which States Have Consumer Data Privacy Laws? (2024) 
    https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation ↩︎
  150. Id. ↩︎
  151. Information Technology & Innovation Foundation, The Looming Cost of a Patchwork of State Privacy Laws (2022) https://www.congress.gov/118/meeting/house/115376/documents/HHRG-118-IF17-20230301-SD021.pdf ↩︎
  152. Id. ↩︎
  153.  S.2629-Better Cybercrime Metrics Act (2022) ↩︎
  154. Id. ↩︎
  155. Pietragallo Gordon Alfano Bosick & Raspanti LLP, Biden Signs Better Cybercrime Metrics Act Into Law (2022) https://www.pietragallo.com/the-privacy-hacks/biden-signs-better-cybercrime-metrics-act-into-law/#_ftn1 ↩︎
  156. Congressional Research Service, Ransomware and Federal Law: Cybercrime and Cybersecurity (2021) https://crsreports.congress.gov/product/pdf/R/R46932 ↩︎
  157. 18 U.S.C. § 1030 ↩︎
  158. CNN, Why it’s so difficult to bring ransomware attackers to justice (2021) 
    https://www.cnn.com/2021/07/08/tech/ransomware-attacks-prosecution-extradition/index.html#:~:text=US%20auth orities%20generally%20discourage%20companies,federal%20and%20even%20international%20authorities. ↩︎
  159. Id. ↩︎
  160. Id. ↩︎
  161. Id. ↩︎
  162. Id. ↩︎
  163. Reuters, Putin says Russia would accept conditional handover of cyber criminals to U.S. (2021) https://www.reuters.com/world/putin-says-russia-would-accept-conditional-handover-cyber-criminals-us-2021-06-1 3/ ↩︎
  164. CNN, Why it’s so difficult to bring ransomware attackers to justice (2021) 
    https://www.cnn.com/2021/07/08/tech/ransomware-attacks-prosecution-extradition/index.html#:~:text=US%20auth orities%20generally%20discourage%20companies,federal%20and%20even%20international%20authorities. ↩︎
  165. Wired, Ransomware Payments Hit a Record $1.1 Billion in 2023 (2024) 
    https://www.wired.com/story/ransomware-payments-2023-breaks-record/ ↩︎
  166. CNN, Why it’s so difficult to bring ransomware attackers to justice (2021) 
    https://www.cnn.com/2021/07/08/tech/ransomware-attacks-prosecution-extradition/index.html#:~:text=US%20auth orities%20generally%20discourage%20companies,federal%20and%20even%20international%20authorities. ↩︎
  167.  15 Ind. Health L. Rev. 305. ↩︎
  168. Id. ↩︎
  169. Id. ↩︎
  170. Id. ↩︎
  171. Id. ↩︎
  172. Id. ↩︎
  173. Forbes, Biden Signs Bill to Create a Cybercrime Reporting System (2022) 
    https://www.forbes.com/sites/edwardsegal/2022/05/05/biden-signs-bill-to-create-cybercrime-reporting-system/?sh=4 ba24e1b1f9 ↩︎
  174. Center for Cybersecurity Policy and Law, The Path to Banning Ransomware Payments (2023) https://www.centerforcybersecuritypolicy.org/insights-and-research/the-path-to-banning-ransomware-payments ↩︎
  175. InfoSecurity Magazine, 78% of Organizations Suffer Repeat Ransomware Attacks After Paying (2024) https://www.infosecurity-magazine.com/news/orgs-repeat-ransomware-paying/ ↩︎
  176. Cybersecurity Dive, Top officials again push back on ransom payment ban (2024) 
    https://www.cybersecuritydive.com/news/ransom-payment-ban-pushback/713206/ ↩︎
  177. Id. ↩︎
  178. Id. ↩︎
  179. Cybersecurity Dive, US government rejects ransom payment ban to spur disclosure (2022) https://www.cybersecuritydive.com/news/government-ransomware-guidance/632136/  ↩︎
  180. American Journal of International Law, The Biden Administration Cracks Down on Ransomware (2022) https://doi.org/10.1017/ajil.2022.12 ↩︎
  181. Cybersecurity & Infrastructure Security Agency, Protecting Against Ransomware (2021) https://www.cisa.gov/news-events/news/protecting-against-ransomware This can also include implementing the 3-2-1 system mentioned earlier in this paper. ↩︎
  182. Id. ↩︎
  183. Canadian Medical Association Journal, How hospitals can protect themselves from cyber-attack (2020) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6989022/ ↩︎
  184. Id. ↩︎
  185. Id. ↩︎
  186. Id. ↩︎

Leave a comment