Organizations with comprehensive cybersecurity programs can (and do) fall victim to cyber-attacks by sophisticated cyber criminals. In any cyber-attack situation, your health care organization should consider the following issues throughout the process of containing and responding to such cyber incident, including the most prevalent form, ransomware.
1. Identify Appropriate Point(s) of Contact
An organization must first determine who will be part of the incident response team. While IT team members will serve a vital role here, the incident response team will need to include others in the organization who have: (a) the ability to make legal decisions; (b) knowledge of business workflows and the short and long term effects of disruptions; and (c) knowledge of the organization’s communication strategy.
2. “Stop the Bleeding” (Identify, Triage, Contain, Eradicate)
The organization should immediately attempt to determine the vectors and scope of the attack. IT should take steps to contain the spread of the incident and determine the best next steps to prevent further business interruption. While systems may be taken offline or sandboxed during this effort, absolutely no systems or devices should be wiped or otherwise cleaned of any data, until legal counsel has authorized and directed such activities.
3. Preserve Evidence
Containment efforts must be implemented quickly, but also carefully. Kneejerk decisions to “wipe” or “erase” machines to stop an attack can inadvertently “wipe” and “erase” the criminal’s tracks, including critical log data and other important forensic evidence, making it difficult (if not impossible) to later understand how, when, and what the criminal did.
4. Contact Cyber Insurer
An organization should promptly notify its cyber insurer regarding coverage evaluation.
5. Engage Outside Counsel
Organizations should bring in legal counsel with expertise in responding to cyber incidents. Outside counsel provides significant insight into responding to cyberattacks, while ensuring the best protection for attorney-client privilege.
6. Engage Forensic Vendor through Counsel
Outside counsel should engage the forensic firm to support the position that the work is done under the protection of attorney-client privilege.
7. Determine Scope
The investigation should specifically address whether the criminal both accessed (e.g., viewed) or acquired (e.g., downloaded or exfiltrated) data, as access alone creates legal obligations pursuant to many state and federal laws. The investigation should further determine all of the identifiers for any individuals (e.g., patients, beneficiaries, employees, donors, research subjects, etc.) whose data may be involved in the cyberattack.
8. Coordinate with Law Enforcement
In most cases, law enforcement – specifically, the FBI – should be notified by legal counsel as part of the response to the cyberattack. Even if law enforcement assistance is not needed, having notified law enforcement can be important later, if the organization finds itself in the position of needing to pay a ransom or report the cyberattack to state or federal regulators. Contacting law enforcement may also reduce the risk that a regulator, including the OFAC, finds an organization’s officers have obstructed justice or worked to activity hide criminal activity (i.e., a cyberattack).
9. Analyze Notification Responsibilities
Based on what is learned about the incident through the forensic investigation, the organization must assess whether notifications to patients, employees, contractors, donors, research subjects, business partners, vendors, other individuals, or regulatory bodies are legally required (e.g., under HIPAA) or otherwise appropriate. Where notice is required, the timing and form of such notice, as well as the particular content of the notice, will be as set forth in applicable law or contracts. In some cases, notification to media and/or notice published on the victim’s website may also be required.
10. Prepare for Regulatory Investigations
HHS Office for Civil Rights (OCR) and the State Attorneys General may open an investigation into any incident involving unauthorized access or acquisition of protected health information under HIPAA, and OCR will automatically do so, if an incident involves five hundred or more individuals’ protected health information. There are many other regulators at the state and federal (and international) level, who may have jurisdiction over issues related to the cyberattack, and from whom the organization may receive inquiries.
With the help of legal counsel, taking the appropriate steps outlined above during the response to any cyberattack, puts an organization in a better position to handle inquiries from individuals, business partners, the media, and regulators and defend against potential claims. Also, do not wait until a cyber-attack actually occurs to practice responding—engage legal counsel now to assist your teams with tabletop exercises to prepare for such attacks, and to address all of the important issues discussed above.