Ransomware, COVID-19, and regulations

Given what the healthcare industry faced in 2020, the seventh edition of our Data Security Incident Response (DSIR) Report, Disruption and Transformation, is aptly titled. As if fighting the COVID-19 pandemic weren’t enough for the industry to tackle, it also faced a surge of ransomware attacks, evolving legal/regulatory considerations, and novel and complex issues presented by pandemic- and technology-driven changes.

The growing wave of ransomware incidents that we saw toward the end of 2019 continued in 2020. Now, however, healthcare organizations are faced with a diabolical twist—in addition to the operational disruption, threat actors are now routinely stealing data and threatening to publish it online as an extra inducement for a ransom payment. With this new tactic, which took off in 2020 and is now the norm for nearly all ransomware matters we handle, came much higher ransom demands, longer downtime, and a significant increase in the number of patients requiring notification per HIPAA regulations.

While fending off cyber threats, we saw healthcare organizations confront the pandemic by transforming the availability and provision of patient care almost overnight through telemedicine. As a further challenge, organizations are dealing with a rapidly evolving legal and regulatory landscape. The 2020 regulatory and legal highlights include:

This is an excerpt from members-only content. Please log in or become a member to access the full content.