Negotiate with Hackers? Buchanan Ingersoll & Rooney Discuss
The healthcare sector has become an increasingly attractive target for ransomware attacks, given the sensitive nature of patient data and the critical services healthcare providers offer.
For healthcare providers, ransomware attacks do not merely disrupt day-to-day activities; they also jeopardise patient trust and compliance with stringent legal requirements.
Therefore, the decision to negotiate with hackers is rarely straightforward, often requiring healthcare leaders to weigh multiple factors, including legal obligations, regulatory implications, and the potential impact on patient care.
But how can healthcare providers proceed with the best possible course whilst remaining compliant?
To further explore these issues, we spoke with Michael McLaughlin, Co-lead of the Cybersecurity and Data Privacy Practice at Buchanan Ingersoll & Rooney.
Understanding the legality of negotiations
When healthcare organisations face ransomware attacks, they must consider numerous legal factors, including compliance with specific industry regulations and broader legal frameworks.
As Michael explains, “compliance with relevant legal frameworks is essential, particularly regarding sanctions and regulations. For instance, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued advisories warning against ransom payments to sanctioned individuals or entities, which could expose the organisation to legal repercussions.”
Michael’s insight highlights that paying a ransom may not be straightforward; rather, it involves assessing who is behind the attack and whether any legal risks arise from engaging with potentially sanctioned entities.
Failing to comply with sanctions could result in additional penalties for healthcare organisations, further compounding the risks they already face.
Beyond general sanctions, sector-specific regulations, like those outlined in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), add another layer of mandatory compliance, often requiring rapid notification to regulatory bodies in the event of an attack.
Healthcare-specific regulations
For healthcare organisations, compliance with the Health Insurance Portability and Accountability Act (HIPAA) becomes particularly pressing when a ransomware attack jeopardises patient data.
“HIPAA requires stringent protections for Protected Health Information (PHI), and a ransomware attack that compromises PHI can lead to severe penalties and corrective actions,” says Michael.
This legal obligation means that healthcare providers must carefully assess any breaches involving patient data, as failing to notify affected individuals and regulatory authorities could lead to sanctions and reputational damage.
“Utilising professional negotiators or cybersecurity firms experienced in ransomware negotiations can help manage the process effectively and potentially lower ransom demands.”
In cases where hackers exfiltrate data — a tactic known as double extortion — healthcare organisations face even greater scrutiny.
As Michael notes, “healthcare organisations are obligated to report breaches of unsecured PHI to affected individuals, the Department of Health and Human Services (HHS), and sometimes the media, depending on the breach's severity.”
This reality underscores the heightened responsibility healthcare organisations bear to remain compliant with reporting requirements, even if they choose to negotiate with the attackers.
Best practices in ransomware negotiations
If a healthcare organisation decides to negotiate with hackers, several best practices can mitigate the risks involved.
Michael emphasises the importance of involving legal experts with cybersecurity experience, advising that “engaging legal experts specialising in cybersecurity and data privacy to navigate the complex legal landscape and ensure compliance with relevant laws and regulations” is essential.
With expert guidance, healthcare providers can ensure that their responses align with both legal requirements and best practices.
Additionally, involving third-party negotiators and cybersecurity firms can provide strategic advantages in ransomware negotiations.
“Utilising professional negotiators or cybersecurity firms experienced in ransomware negotiations can help manage the process effectively and potentially lower ransom demands.”
However, engaging third-party negotiators also requires careful legal scrutiny. Contractual agreements with these third parties must be clear, with provisions that protect sensitive information under attorney-client privilege, especially when patient data is involved.
Furthermore, ensuring that third-party negotiations align with the organisation’s cyber insurance policies is crucial, as coverage may vary depending on the specifics of the incident and the actions taken during the negotiation.
Beyond the legal requirements, healthcare leaders must consider the ethical ramifications of ransomware negotiations.
For instance, even in scenarios where paying a ransom might offer the quickest path to data recovery, this approach may conflict with the organisation’s ethical stance or regulatory obligations.
“Implementing robust security protocols, including regular risk assessments, employee training, and updated security technologies, is fundamental,” says Michael.
Moreover, healthcare organisations must maintain transparent communication with stakeholders, balancing the need for confidentiality with the ethical responsibility to keep patients informed about any threats to their data.
Diagnosing the decision
For healthcare leaders, establishing and practising an incident response plan, including simulations and tabletop exercises, can better prepare their teams for real-world scenarios.
This proactive approach helps organisations maintain resilience and accountability, safeguarding their reputations and, most importantly, their patients’ trust.
The threat landscape for healthcare organisations will likely continue evolving, presenting new legal and ethical challenges.
However, with a comprehensive understanding of regulatory requirements and a commitment to transparency, healthcare providers can navigate these difficult decisions in ways that protect both patient data and organisational integrity.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
- Intelliworx MD on Why SME's Need to Evaluate Their SecurityCyber Security
- Orange Cyberdefense's Wicus Ross Talks Cyber Extortion TrendHacking & Malware
- Hitachi Vantara: How to Secure Data in Age of AI RansomwareHacking & Malware
- Is Off-The-Shelf Code Fuelling the Surge in Ransomware?Hacking & Malware