Monday, October 12, 2020

Ransomware Victims Who Pay May be Vulnerable to Fines from the Federal Government




The scourge of Ransomware seems to be everywhere in healthcare these days.  Of course it’s not just a healthcare problem either.  A couple of months ago GPS giant Garmin Industries had almost their entire system knocked offline by a Ransomware attack that made headlines all over the world.


This entire subject matter is a fascinating game of cat and mouse (unless you are unlucky enough to be involved), with companies trying to avoid paying ransoms while the criminals try and force their hand through escalations.  Many perpetrators are now not only demanding a ransom, but are threatening to reveal confidential data online.


One of the newer ploys now in play involves the copying and removal of data before encryption.  Once the criminals gain access to the network, they copy and offload critical and confidential data.  They then unleash the Ransomware which encrypts the compromised computer’s hard drive.  In a worst case scenario the criminals have the ability for the Ransomware to hopscotch across the network encrypting every hard drive that is connected.  Then the victim is told that not only is their data encrypted, but that they must pay up within X hours or your data is gone PLUS they will release the confidential data on the web for all to see.


Obviously there can be a great amount of pressure to pay the ransom in a scenario such as that… especially in healthcare where HIPAA violations and the resultant fines loom large.  It used to be that a good backup could bring a business back without having to worry about paying the ransom, but the release of confidential data takes this to whole new level.


But now… adding to all of the above stress and “worst case scenarios”, comes the possibility of being caught between the proverbial rock and a hard place.  It seems that if the Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned the Ransomware perpetrators, paying the ransom can actually expose the victim to federal penalties.  New guidance states "a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. "


Basically the translation is that even if you don’t know you are breaking the law, you can be held liable.  I’m not sure where HIPAA and releasing other confidential information falls within this, but it’s hardly equitable for a victim to continue to be victimized from both sides fo the equation.  The Treasury Department Advisory Position can be read here.  

1 comment:

  1. Ugh. Stop paying to decrypt your files. Stop losing your files to ransomware. The tech is out there. Unfortunately most small dental practices don't know how to use it and won't pay for an IT person to manage it. I recovered ~20 fully-encrypted offices and had them back online in under 15 minutes simultaneously.