Senators Propose U.S. Cybersecurity Incident Notification Law

In light of the escalation in ransomware and other cyber threats, a bi-partisan group of U.S. Senators has released a cybersecurity notification bill titled “Cyber Incident Notification Act of 2021.” Under the proposed bill, a “covered entity” would be required to report a “cybersecurity intrusion” or “potential cybersecurity intrusion” to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of confirmation of the intrusion.  Covered entities also would be required to submit updated cybersecurity threat information to CISA within 72 hours after the discovery of new information. The requirement for updates would continue until the incident is mitigated or any follow-up investigation is completed.

Although the term “cybersecurity intrusion” would be defined in future rulemaking with public comment, the bill provides, at a minimum, that the term include ransomware if it falls into one of six broad categories. The categories include ransomware involving a nation-state, an advanced persistent threat cyber actor, or a transnational organized crime group. The categories also include ransomware that results in or has the potential to result in harm to national security interests, the U.S. economy, or to public confidence, civil liberties, or public health and safety. In essence, it would encompass most types of ransomware.

The term “covered entity” also is to be defined by future rulemaking but, per the bill, “shall include, at a minimum, Federal contractors, owners or operators of critical infrastructure, as determined appropriate by the Director based on assessment of risks posed by compromise of critical infrastructure operation, and nongovernmental entities that provide cybersecurity incident response services.” CISA’s list of critical infrastructure sectors include: Information Technology, Communications, Healthcare and Public Health, Emergency Services, Financial, Energy, Food and Agriculture, Commercial Facilities, Critical Manufacturing, among others. For a full list of CISA’s current “critical infrastructure” sectors and a detailed discription of each, click here

To incentivize compliance, the law would allow the CISA Director to assess a civil penalty up to 0.5 percent of the entity’s gross revenue from the prior year for each day it violates the requirements under the law or under rules promulgated under the law. The Director would be allowed to “take into account mitigating or aggravating factors, including the nature, circumstances, extent, and gravity of the violations and, with respect to the covered entity, the covered entity’s ability to pay, degree of culpability, and history of prior violations.”

Click here to read the full Senate Bill.

New Treasury Department Ransomware Advisories Warn that Ransom Payment May be Sanctionable

by Margaret Young Levi and Kathie McDonald-McClure

Cyber attacks using ransomware have been on the rise during the COVID-19 pandemic.  Ransomware, whether it encrypts computer files or locks an entire hard drive, can block access to an organization’s essential operating data, unless the organization can obtain a decryption key. In many if not most cases, a decryption key is only available by paying a ransom to the cybercriminal.

On October 1, 2020, the U.S. Department of the Treasury Office of Terrorism and Financial Intelligence announced the issuance of two advisories aimed at fighting ransomware scams and attacks.  In making the announcement, Deputy Secretary Justin G. Muzinich said:

Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes. Treasury will continue to use its powerful tools to counter these malicious cyber actors and their facilitators.

The advisories also warned that those who facilitate ransomware payments may be sanctioned for violating Treasury law and regulations. However, Treasury’s efforts to crack down on ransomware in this way places its victims in the crossfire.  Ransomware victims may feel they have no choice but to pay the ransom if this is the only way to regain access to essential data, which is often the case when the most recent data back-up is also attacked and a decryption key is not available by other means.  Moreover, paying the ransom may be a matter of public safety.  For example, ransomware that locks healthcare providers out of patient electronic medical records, attacks computers that support life-saving medical devices, or that shuts down computers connected to automobiles and other consumer devices, could pose a risk of injury or even death.

Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory, entitled “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (Treasury Advisory). The Treasury Advisory is intended to educate financial institutions and others involved in cyber incident response measures about ransomware trends and indicators of ransomware as well as related money laundering activities.  More specifically, the Treasury Advisory addresses the following areas of concern:

CONTINUE READING

Ransomware Attack on Allscripts’ Cloud-Based EHR and E-Prescribing Platforms: What Providers Need to Know

pexels-photo-263370.jpegBy Kathie McDonald-McClure

What Happened. According to several healthcare news sources, on Thursday, January 18, 2018, Allscripts experienced a ransomware attack on the computer servers that host the Allscripts cloud-based EHR and the Allscripts cloud-based Electronic Prescriptions for Controlled Substances (“EPCS”) platform. Allscripts did not pay the ransom because it had recent data backups that were unaffected by the attack.¹

Initial Impact on Allscripts’ Clients. The EPCS reportedly was restored on Saturday, January 20, 2018. The EHR system reportedly continued to be adversely affected through at least Monday, January 22, 2018, with some providers still reporting log-in issues through Wednesday, January 24, 2018. Allscripts held a conference call with providers in which it advised providers that they may continue to experience usage interruptions with the cloud-based products until Allscripts completed a roll-out of security updates. During down times, Allscripts urged providers to use the Allscripts mobile solution (only available on the iPhone) to view medical histories and schedules but acknowledged that providers would be unable to Continue reading

New HIPAA Guidance on Ransomware: OCR’s encryption “gold standard” is no longer “golden”

By Margaret Young Levi and Kathie McDonald-McClure

softwareRansomware encrypts a user’s data and denies access to that data until a ransom is paid. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released new guidance to help health care entities better understand and respond to the ever-increasing threat of ransomware.  On July 11, 2016, HHS posted a blog entitled “Your Money or Your PHI: New Guidance on Ransomware.”  The HHS blog post includes a Fact Sheet for health care entities regarding ransomware.  This blog post highlights some of the more striking points in the OCR Fact Sheet and considerations for entities subject to HIPAA in addressing ransomware attacks.

Ransomware can cause harm beyond denying access to data.  The OCR Fact Sheet provides useful technical details about how ransomware malware works, and notes that data can be exfiltrated (i.e., transferred outside the computer network system).  Exfiltration can occur before or after the ransomware attack that encrypts the data.  It depends on the type of malware employed in the attack.  An April 2016 ransomware report from the Institute for Critical Infrastructure Technology (ICIT) provides even more technical details about the types of ransomware currently in use.  The ICIT report states that advanced persistent threats (APTs) and other hackers interested in collecting confidential data use ransomware as a form of distraction while stealthily using other malware to exfiltrate data.

The use of ransomware has skyrocketed.  According to OCR, the number of ransomware attacks has risen steeply in the last year, from an average of 1,000 per day in 2015 to an average of 4,000 attacks daily since January 1, 2016, including some very public attacks on hospitals.  Hospitals and other health care providers are especially vulnerable to Continue reading