Ransomware Attacks in Healthcare: Nine Key Questions Answered

Health Highlights

Editor’s Note: At a recent webinar, Manatt revealed how healthcare organizations can prepare and protect themselves from the devastation of a ransomware attack. (See next article for more information on the webinar.) We had so many excellent questions from our audience that we didn’t have time to address them all during the program. Below are nine critical questions posed by our webinar attendees, along with the responses. If you would like to view the full webinar, click here to download a free copy of the webinar presentation.


1. How Can an Organization Know That No Data Was Exfiltrated During a Ransomware Attack?

To determine if data has been accessed or exfiltrated from its network, an organization must implement a robust logging and monitoring process. For example, logging of user and network activities is critical to determine malicious activity on the network. Organizations then must review the logs and validate whether or not the activity is authorized. Logging mechanisms and the ability to track user activities are essential in preventing, detecting or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting and analysis when something does go wrong. Identifying the cause of a compromise is very difficult, if not impossible, without system activity logs.

It is also important for organizations to understand the type of ransomware/malware installed on their systems. For example, does the ransomware/malware have the ability to exfiltrate data on the network? What ports/services is it using to propagate on the network? Does it have the ability to communicate to a criminal’s command and control server? The only way to fully understand the behavior of the malware is to perform malware analysis or reverse engineer the malware. This work must take place in a controlled environment. Organizations can work with their internal information security teams or engage a third party to analyze the malware.

2. What Is the Recommended Percentage of IT Budget That Should Be Devoted to Data and Network Security? What Percentage of Staff Should Be Assigned to This Type of Work?

An organization should perform a risk assessment to identity its security posture. The assessment will enable organizations to allocate the right level of resources and implement appropriate security solutions.

3. What If Data Is Encrypted? Could There Still Be a Breach?

That is a difficult question to answer. Organizations must do a thorough computer forensic investigation to identify whether or not there was a data breach. The investigation should include an analysis to determine whether appropriate key encryption management procedures were in place at the time of the breach. Having weak key encryption management procedures will allow unauthorized users to decrypt the data.

4. After an Employee Downloaded a Virus, Certain Unencrypted Files Were No Longer Available. Would This Be Considered a Breach?

Based on this limited information, there may have been a breach. However, proper computer forensic investigation is essential for determining for certain whether or not a breach occurred.

5. Can Ransomware Spread Via Wi-Fi? Could Phones Connected to the Wi-Fi Be Infected?

Yes. Ransomware can spread via wireless networks. For example, there is ransomware that targets Android systems.

6. When Should a Ransom Payment Be Made?

Neither law enforcement nor security professionals recommend paying a ransom, because it will only encourage criminals to perpetrate ransomware attacks. In addition, even when the ransom is paid, there is no guarantee that the hacker will provide the key to decrypt the systems. Law enforcement and security professionals both urge organizations not to pay any ransom, unless it is absolutely necessary and there is no other way to recover the files. 

In our opinion, whether or not to pay a ransom is a business decision that organizations need to make before an incident happens, as part of their disaster recovery plans. When deciding the ransom question, organizations should consider:

  • Which systems are impacted and what type of data is stored? Do the affected systems provide critical services to the community?
  • How confident is the organization that there are good backup systems in place and it has the ability to recover quickly?
  • How widespread is the infection on the network? Is there sufficient staff in place to respond and contain the infection?
  • How long has the hacker been on the network? (This is critical, because the longer he or she has been on the network undetected, the more severe the damage.)
  • What is the acceptable risk of downtime?

7. What Sample Table-Top Exercise Does Manatt Recommend?

We recommend visiting www.sans.org for more information on table-top exercises. Manatt’s Privacy and Data Security team can also help organizations develop effective table-top exercises. Please reach out to the author at ibeierly@manatt.com.

8. Is There a Way to Protect/Secure an Organization’s Wi-Fi?

Yes, there is a way to protect Wi-Fi. At a minimum, organizations should do the following:

  • Implement strong encryption to limit disclosure of sensitive information across wireless networks. Do not use WEP or SSL, as these protocols have known vulnerabilities.
  • Protect the wireless access points (WAP) by implementing strong access controls.
  • Ensure wireless networks do not have the ability to connect to the organization’s internal network without strong authentication.

9. Is There a Recommended Security Evaluation Protocol for Third-Party Providers?

We recommend visiting www.sans.org for more information on security evaluation protocols for third-party vendors. Manatt’s Privacy and Data Security team also can help organizations develop a vendor risk assessment protocol. Please contact the author at ibeierly@manatt.com.



pursuant to New York DR 2-101(f)

© 2023 Manatt, Phelps & Phillips, LLP.

All rights reserved