Why Many Healthcare Sector Entities End Up Paying Ransoms – Source: www.databreachtoday.com

While most healthcare sector organizations hit with ransomware attacks never imagine giving in to extortion demands, the pressures they face in dealing with the crisis often push about half of them to pay, said attorney Lynn Sessions of BakerHostetler, speaking about the firm’s healthcare clients.

“No one ever goes on a call and says, ‘I’m ready to pay a criminal in the other part of the world,'” she said in an interview with Information Security Media Group.

But in the end, about 50% of the firm’s healthcare sector clients facing extortion demands end up paying, according to Sessions, who shared findings of the law firm’s 10th annual Data Security Incident Response Report. The study details more than 1,150 security incidents managed by the firm in 2023 for clients in 10 sectors, including healthcare.

“Nobody wants to pay, and then you look at the specific factors as to what would impact a healthcare organization. One of the things that makes healthcare very vulnerable in this scenario is that they’ve got to take care of patients 24/7,” she said.

Sessions said most attacks on healthcare sector organizations these days involve double-extortion, where there’s an impact to their operations through the ransomware encryption as well as through data exfiltration.

“So, attackers have two reasons for which they try to strong-arm you into paying,” she said. “If our clients need the decryption key to get their operations back up and running – and presumably back up and running more quickly than if they rebuilt from scratch or restored from backup – then you will see them pay for the decryption key.”

“Our normal stance is: If you’re just paying for the suppression of data, don’t just pay for the suppression of data,” she said.

Sessions pointed to the February Change Healthcare attack, in which parent company UnitedHealth Group reportedly paid a $22 million ransom to attackers and then was blackmailed a second time by a different group to suppress a data leak. “There are things that can go wrong, and your data still gets published,” she said (see: Change Healthcare Attack: Details Emerge; Breach Will Top Record).

“But we do talk with our clients, and it’s a very fact-specific scenario based on their specific operations – what data may have been taken or impacted – and making decisions around whether they should pay or not to pay.”

Paying a ransom – including to suppress the publication or sale of stolen protected health information – does not help entities avoid the fallout of having to report a HIPAA breach to regulators and notify individuals affected by the compromise, Sessions said.

With ransomware attacks, “under HIPAA, you have a presumption of a breach, unless you can demonstrate that the protected health information was not actually viewed or acquired.

“You still have to do notification. You’re still going to get sued” by affected individuals, she said. “You don’t get any credit for paying the ransom.”

In this audio interview with Information Security Media Group (see audio link below photo), Sessions also discussed:

• The average ransomware demand in healthcare and how the average extortion amount that’s paid is often negotiated downward;
• Advice for healthcare sector organizations to be better prepared to help prevent and respond to ransomware and other security incidents;
• Other key findings from the law firm’s annual Data Security Incident Response Report.

Sessions leads the healthcare privacy and compliance team in BakerHostetler’s digital assets and data management practice group and serves as national co-lead of the firm’s healthcare industry team. Sessions focuses her practice on healthcare privacy and data security, breach response, regulatory defense and HIPAA compliance.