To Call or Not to Call (the FBI): That is the Question
Tips for Cybersecurity Healthcare Incident Response
On January 26, 2023, the Department of Justice (DOJ) announced that, following an extensive operation, the FBI were able to disrupt the Hive ransomware gang’s operations by distributing decryption keys to numerous victims mid-attack. It has been established that Hive’s victims included hospitals, U.S. K-12 schools, and other critical infrastructure entities.
The question of “if” or “when” the victim of a ransomware attack should report and involve authorities comes up during every discussion involving healthcare incident response plans. The simple answer is YES, and the sooner the better. There are real fears of federal agents showing up in raid jackets to your facility, compromising the response, or putting business viability at risk. These apprehensions, however, are not valid within the healthcare sector with ransomware being a threat-to-life crime. That said, decisions on policy and disaster recovery are rarely based on simple answers.
In full disclosure, all actions should be taken with full coordination with legal counsel, and that the following information is not intended to constitute legal advice; instead, all information, content and materials are for general informational purposes only.
Three reasons every health delivery organization (HDO) should report a ransomware attack immediately include:
- Mandatory Reporting: Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), covered entities and their business associates must report breaches of both ePHI and PHI. Cybersecurity & Infrastructure Security Agency (CISA) does not currently have an 1-800-OHH-CRAP direct line published for this purpose. Therefore, your best option is to contact your local FBI Field Office. It should also be noted that your cyber insurance payout may depend on if and how you report the breach. You are therefore encouraged to develop a working relationship with your local FBI office in advance of any incident.
- Evidence-Based Security Practices: Much like the principle of practicing evidence-based medicine, the same can be said for your cybersecurity posture. There are ransomware gangs (like Diaxin and BianLian) that target healthcare. Chances are, you are not the only victim of the ransomware group that locked you out of your network. The Bureau may have open cases with other victims sharing the same indicators of compromise (IOCs) and/or may be coordinating with those victims in a response. The FBI receives IOCs from victims, industry Information Sharing and Analysis Centers (ISACs), and other federal government intelligence community sources. In this case, sharing this information may be critical to preventing another health system from catastrophic failure and loss of life.
- Additional Benefits: At times, the FBI can aid beyond decrypting a victim network without paying the ransom. They can help work with the Treasury Department to seize ransom payment funds from the criminal gang and return it to the victim. This cannot happen in every case, but if you do not call them, you are missing this chance.
Response to an incident is one thing, but what should you do now to proactively protect your facility and your patients? As an American Hospital Association (AHA) preferred cybersecurity provider for Incident Response (IR), [redacted] routinely makes the following recommendations:
- Make sure you have a current cybersecurity Incident Response Plan (IRP) that you have exercised. This is critical. Many people we speak to have an outdated HIPAA Incident Response Plan and, even if it has current information, it has not been practiced. Review and practice ideally once a quarter, minimally twice a year. This plan should include communications, alternative communication methods, whom to call and when. Empower these people to make the decisions they will need to make.
- Reach out and engage with a security partner with expertise in IR and digital forensics. Have a retainer in place. You need to know whom to call, that they will respond immediately, and that they have the expertise to minimize the blast radius of the attack. Relying on cyber insurance to help you is not enough and the time spent waiting for their response can be critical to your ability to recover quickly and continue to provide essential patient services.
- Know your local law enforcement. Reach out and meet your FBI Field Office. Building a relationship of mutual trust is important.
- Be involved with your ISAC. Threat actors network and communicate to move quickly and effectively. You need to be able to fight them just as quickly.
If you have any additional questions on how you may better prepare and secure your facility, schedule a call with our cyber defense team today.
As a medical provider, Paige brings over 15 years of direct patient care to her cybersecurity expertise. She is a pioneer in the now ubiquitous synchronous telehealth delivery practice. Early in her career, Dr. Peterson Sconzo recognized the importance of rigorous cybersecurity practices and became passionate about addressing that need in the healthcare field. She left private practice in 2019 to focus on bridging the gap and ensuring the cybersecurity industry addressed the unique needs of healthcare professionals and facilities.