Negotiate with Hackers? Buchanan Ingersoll & Rooney Discuss

Share
Ensuring third-party negotiations align with the organisation’s cyber insurance policies is crucial. PICTURE: Getty
Buchanan Ingersoll & Rooney's Michael McLaughlin discusses the legality of negotiating with hackers and how to proceed with compliance

The healthcare sector has become an increasingly attractive target for ransomware attacks, given the sensitive nature of patient data and the critical services healthcare providers offer. 

For healthcare providers, ransomware attacks do not merely disrupt day-to-day activities; they also jeopardise patient trust and compliance with stringent legal requirements. 

Therefore, the decision to negotiate with hackers is rarely straightforward, often requiring healthcare leaders to weigh multiple factors, including legal obligations, regulatory implications, and the potential impact on patient care.

But how can healthcare providers proceed with the best possible course whilst remaining compliant?

To further explore these issues, we spoke with Michael McLaughlin, Co-lead of the Cybersecurity and Data Privacy Practice at Buchanan Ingersoll & Rooney.

Michael McLaughlin, Co-lead of the Cybersecurity and Data Privacy Practice at Buchanan Ingersoll & Rooney

Understanding the legality of negotiations

When healthcare organisations face ransomware attacks, they must consider numerous legal factors, including compliance with specific industry regulations and broader legal frameworks. 

As Michael explains, “compliance with relevant legal frameworks is essential, particularly regarding sanctions and regulations. For instance, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued advisories warning against ransom payments to sanctioned individuals or entities, which could expose the organisation to legal repercussions.”

Michael’s insight highlights that paying a ransom may not be straightforward; rather, it involves assessing who is behind the attack and whether any legal risks arise from engaging with potentially sanctioned entities. 

Failing to comply with sanctions could result in additional penalties for healthcare organisations, further compounding the risks they already face. 

Beyond general sanctions, sector-specific regulations, like those outlined in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), add another layer of mandatory compliance, often requiring rapid notification to regulatory bodies in the event of an attack.

Healthcare-specific regulations

For healthcare organisations, compliance with the Health Insurance Portability and Accountability Act (HIPAA) becomes particularly pressing when a ransomware attack jeopardises patient data. 

“HIPAA requires stringent protections for Protected Health Information (PHI), and a ransomware attack that compromises PHI can lead to severe penalties and corrective actions,” says Michael.

This legal obligation means that healthcare providers must carefully assess any breaches involving patient data, as failing to notify affected individuals and regulatory authorities could lead to sanctions and reputational damage.

“Utilising professional negotiators or cybersecurity firms experienced in ransomware negotiations can help manage the process effectively and potentially lower ransom demands.”

Michael McLaughlin, Co-lead of the Cybersecurity and Data Privacy Practice at Buchanan Ingersoll & Rooney

In cases where hackers exfiltrate data — a tactic known as double extortion — healthcare organisations face even greater scrutiny. 

As Michael notes, “healthcare organisations are obligated to report breaches of unsecured PHI to affected individuals, the Department of Health and Human Services (HHS), and sometimes the media, depending on the breach's severity.”

This reality underscores the heightened responsibility healthcare organisations bear to remain compliant with reporting requirements, even if they choose to negotiate with the attackers.

Best practices in ransomware negotiations

If a healthcare organisation decides to negotiate with hackers, several best practices can mitigate the risks involved. 

Michael emphasises the importance of involving legal experts with cybersecurity experience, advising that “engaging legal experts specialising in cybersecurity and data privacy to navigate the complex legal landscape and ensure compliance with relevant laws and regulations” is essential. 

With expert guidance, healthcare providers can ensure that their responses align with both legal requirements and best practices.

Additionally, involving third-party negotiators and cybersecurity firms can provide strategic advantages in ransomware negotiations.

“Utilising professional negotiators or cybersecurity firms experienced in ransomware negotiations can help manage the process effectively and potentially lower ransom demands.”

However, engaging third-party negotiators also requires careful legal scrutiny. Contractual agreements with these third parties must be clear, with provisions that protect sensitive information under attorney-client privilege, especially when patient data is involved. 

Youtube Placeholder

Furthermore, ensuring that third-party negotiations align with the organisation’s cyber insurance policies is crucial, as coverage may vary depending on the specifics of the incident and the actions taken during the negotiation.

Beyond the legal requirements, healthcare leaders must consider the ethical ramifications of ransomware negotiations. 

For instance, even in scenarios where paying a ransom might offer the quickest path to data recovery, this approach may conflict with the organisation’s ethical stance or regulatory obligations.

“Implementing robust security protocols, including regular risk assessments, employee training, and updated security technologies, is fundamental,” says Michael.

Moreover, healthcare organisations must maintain transparent communication with stakeholders, balancing the need for confidentiality with the ethical responsibility to keep patients informed about any threats to their data. 

Diagnosing the decision

For healthcare leaders, establishing and practising an incident response plan, including simulations and tabletop exercises, can better prepare their teams for real-world scenarios. 

This proactive approach helps organisations maintain resilience and accountability, safeguarding their reputations and, most importantly, their patients’ trust.

The threat landscape for healthcare organisations will likely continue evolving, presenting new legal and ethical challenges. 

However, with a comprehensive understanding of regulatory requirements and a commitment to transparency, healthcare providers can navigate these difficult decisions in ways that protect both patient data and organisational integrity.

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

FS-ISAC CISO JD Denning explains the cyber strategies financial providers need to adopt in order to stay afloat in the wave of cyber attacks

Darktrace Reports 692% Surge in Black Friday Cyber Scams

AI cybersecurity firm Darktrace reveals increase in brand impersonation attacks targeting retailers, with holiday-themed phishing attacks rising 327%

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI

Gen Reports 614% Rise in Command Prompt Manipulation Scams

Cyber Security

SAVE THE DATE – Cyber LIVE London 2025

Cyber Security