“We can categorically say that ransomware attacks harm patients,” says Hannah Neplash, an associate professor of health policy at the University of Minnesota, who has studied the impact of ransomware attacks on US hospitals and concluded that they lead to higher mortality rates. “If you’re unfortunate enough to be in a hospital that’s hit by a ransomware attack, you’re less likely to be able to leave,” Neplash says. “The longer the disruption lasts, the worse your health outcomes will be.”
In the immediate aftermath of a ransomware attack, hours or days afterward, it’s common for companies that connect their software to the targeted organization to suspend services, which can include anything from disconnecting medical records to refusing to send email to victims of a cyberattack. This is where the so-called guarantee comes in.
“We’ve seen a real increase in demand for these letters over the last few years as breaches have become more litigated, from class action lawyers pursuing settlements to business-to-business litigation,” said Chris Kwarina, global head of cybersecurity and privacy at law firm Norton Rose Fulbright.
Kwarina said he doesn’t know when or where the practice of sending certificates began, but it likely started with lawyers and security professionals who misunderstood the legal requirements and the risks they were trying to prevent. “There is no legal requirement to request or obtain a certificate before reconnecting a system,” Kwarina said.
These guarantees and certificates are often prepared with the assistance of specialized cybersecurity firms that are hired to respond to incidents, and what and when you can reconnect will depend on the specific details of each attack.
But much of the decision will depend on risk, or at least the perception of risk. Companies will worry that cybercriminals will be able to move “laterally” between victims and their own systems, says Charles Carmack, chief technology officer at Mandiant, a cybersecurity company owned by Google. Companies want to be sure their systems are clean and that attackers are off them, Mr. Carmack says.
“I understand the rationale behind the assurance process. My point is, you have to really think about the risk associated with the level of connectivity between two parties, and you tend to default to the most restrictive path,” Carmakkal said. For example, it’s rare for Mandiant to see wormable ransomware moving from victim to victim, he said.
“The vendor was interested in having independent, external cybersecurity experts working with Scripps’ technical team to verify that the malware was contained and remediated with reasonable best efforts,” says Thielman, Scripps Heath’s CIO. Ascension also held one-on-one conference calls with the vendor and eight webinars to provide updates, according to Fitzpatrick. It also shared indicators of compromise — traces attackers left on systems — with health organizations and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Third Party Principles
In recent years, cybercriminals have become more daring in their attacks against hospitals and healthcare organizations. In one case, the Lockbit ransomware gang claimed there were rules against attacking hospitals, but in fact attacked over 100 hospitals. These types of attacks often directly affect public infrastructure and private companies that provide services to healthcare organizations.
“Any reasonable assessment of the threat landscape over the next few years will probably lead to an increased disruption of public services and public operations due to cybercriminal activity affecting the private sector,” says Ciaran Martin, a professor at Oxford University and former director of the UK’s National Cyber Security Centre. Such cases, Martin suggests, might raise questions about whether governments have or need the power to tell private companies to respond in particular ways.
