Ransomware is cyber extortion

Ransomware is a form of cyber extortion — and a serious business risk. Ransomware occurs when a user cannot access his or her stored data because a cyber criminal has accessed the data; encrypted it; and sent a ransom demand for money in exchange for a decryption key. Ransomware is also considered “electronic vandalism,” as it can corrupt or destroy data in an infected computer system.

Any internet-connected computing device is a potential target. Typically, a ransomware incident starts when an employee opens or clicks on an email attachment that contains malware. Training staff members to never click on unsolicited links or attachments can help you avoid a malware incident.

Cyber extortion can include threats to:

  • steal, alter, or publicly disclose private information of third parties, as well as the business’ own private information;
  • carry out a phishing attack to obtain confidential information;
  • damage a business’ reputation on social media;
  • restrict or hinder access to a computer system, including a denial of service attack;
  • corrupt, damage, or destroy a computer system; and
  • electronically communicate with a business’ customers to falsely claim to be the business or acting under its direction to obtain customers’ confidential information (also known as “pharming” or “phishing”). 

Ransomware attacks often involve a business interruption. The interruption can be costly if it suspends business operations for days or weeks and results in lost income. There are often added expenses to restore critical databases and applications. (See our article “A group admin explains what business interruption really means.”)

For a medical practice, a ransomware incident can result in blocked access to patient records and disrupt important patient care services.

A computer system operated by a third-party vendor, such as a cloud service provider, can also be compromised and result in business interruption for any entity dependent upon the vendor’s hosted computer application services or processes.1 The ransomware attack that affected Allscripts and its clients is a prime example:

“In January of 2018, Allscripts experienced a ransomware attack that impacted an estimated 1,500 clients, which Allscripts described as impacting a ‘limited number of applications.’ The ransom was 30.4 BTC (bitcoin), which was roughly equal to $325,217.07 [at that time]. This number may not adequately describe the impact on affected organizations. Allscripts services include record and practice management, hosting, and electronic prescription services.

After the breach occurred, ‘many providers [did] not have access to patient medical histories, labs, scheduling or payment applications.’ For a small or medium size enterprise, such a loss may severely hamper the ability to offer care.” 2

When a ransomware incident encrypts protected health information (PHI), HIPAA considers it a “security incident,” a presumptive breach, and an impermissible disclosure — unless the health care provider (or business associate) can demonstrate a low probability the PHI was compromised. Retaining a privacy law attorney and a forensic firm are indispensable in determining if any PHI had been stolen and if it is a reportable privacy breach.

NAS Insurance Services’ 2018 Cyber Claims Digest: Analysis of 2017 Cyber Claims Data noted ransomware was the second most common cause of a cyber claim. Below is an actual health care ransomware claim scenario from NAS:

“Employees of a hospital discovered that their email accounts were not accessible. The hospital’s IT department investigated and discovered that a ransomware attack infected 70 servers and 600 workstations. The hospital had to close operations for 2 business days and suffered losses in relation to the event. Cyber Insurance covered a total of $567,350, as follows:

  • IT Expenses: $417,000 – Consultants were retained to immediately address the ransomware attack, secure data, investigate if any patient health information was compromised, and rebuild the hospital’s network.
  • Business Interruption Expenses: $65,000 – Several surgeries had to be cancelled resulting in loss of income.
  • Data Recovery: $76,000 – Numerous employees had to work overtime to recreate lost data from back-ups.
  • Ransom Amount: $9,350 – The hospital paid the ransom demand to regain system access.” 3

The rise of cyber extortion threats in health care requires strong, focused cyber risk management. The key to protecting a medical practice against a data compromise is to conduct real-time data backups and to test their integrity. Effective techniques for ensuring business continuity against cyber extortion attacks include:

  • using an external (offline) hard drive backup;  
  • hiring a secure and HIPAA-compliant cloud service provider; and
  • instituting an incident response plan with clear roles and responsibilities for staff.

All TMLT policies include Cyber Liability Coverage up to $100,000. This includes Cyber Extortion Coverage to pay extortion expenses and monies as a direct result of cyber extortion. If you have any questions about cyber security and your TMLT policy, please contact John Southrey at john-southrey@tmlt.org.

Sources and notes:

  1. TMLT’s Cyber Liability Coverage does not include coverage for a dependent business interruption (i.e., for an unplanned outage or interruption of a service provider’s computer system that your operations are dependent upon). However, coverage for dependent business income up to $1 million (sublimited) is available under our “Buy-Up” Cyber Liability program.
  2. NAS Insurance Services 2018 Cyber Claims Digest: Analysis of 2017 Cyber Claims
  3. The scenarios used are examples of the types of claims and associated costs commonly seen and do not represent a comprehensive explanation of any one particular claim. Coverage may not be available in all circumstances, as each reported claim will be evaluated on a case-by-case basis. The actual policy or endorsement language should be referenced to determine coverage applicability.


About the Author

John Southrey is the Director of Cyber Consulting Services at TMLT. John can be reached at john-southrey@tmlt.org.

Visit Website More Content by John Southrey
Previous Article
Get help with HR, employment issues
Get help with HR, employment issues

Learn about employment and human resources issues through the EPLI Pro website.

Next Article
Trust Rewards balances now on myTMLT
Trust Rewards balances now on myTMLT

View your balance on the TMLT member portal

WEBINAR: Lessons learned from OCR Resolution Agreements in 2020