May 23, 2019

May 23, 2019

Subscribe to Latest Legal News and Analysis

May 22, 2019

Subscribe to Latest Legal News and Analysis

May 21, 2019

Subscribe to Latest Legal News and Analysis

Advice to Healthcare Providers on Ransomware from the Head of the FBI

On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017).  Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them.   During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.”

Ransomware is malware that installs covertly on a computer, tablet, or other mobile device and encrypts the victim’s data, preventing access unless and until the victim pays the ransom, typically in the form of bitcoins.  Healthcare providers are appealing ransomware targets because they are dependent on immediate access to real time data in order to care for their patients.  For those same reasons, healthcare providers often elect to pay the ransom to unlock their records, making them a lucrative target for hackers.  Director Comey’s advice to health care providers was twofold:

Never Pay Ransom:  The advice to never pay ransom was echoed by a number of intelligence and security experts during BCCS 2017.  According to Director Comey, the payment of ransomware by one healthcare provider emboldens attackers and proliferates the attacks, placing other healthcare providers at risk.

Maintain Adequate Backup Systems:  Comprehensive business continuity plans and data backup are the only surefire way to continue critical operations following a ransomware attack and avoid paying ransom.

Director Comey also encouraged healthcare providers to work closely with the FBI by reporting all manner of cyberattacks, noting that industry and law enforcement collaboration is key to combatting cybercrime.

Speakers emphasized the importance of data backup, but also the importance of testing business continuity and data back up plans before a disaster.  “An ounce of prevention can prevent a million headaches,” one speaker said.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Dianne Borque, Health Care, licensure, risk management, attorney, Mintz Levin
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. A large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process.

She also counsels health care clients and other business entities on the requirements of the HIPAA Privacy Rule and Security Standards,...

(617) 348-1614
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.