Ransomware and cybersecurity issues have been almost as prevalent in 2021 news headlines as COVID-19 and whatever the Kardashians are up to. Attacks on infrastructure, corporations, and health care providers have risen dramatically in the past two years, as internet security firms struggle to keep up with constantly evolving cybersecurity attacks. Unfortunately, attacks against law firms are also on the rise, as hackers realize that the confidential nature of law firm data can help them extort large ransoms from victims who want to quickly and quietly regain control of their networks. In many cases, a victim of these attacks may simply agree to pay the ransom to keep its business operational; however, that payment only serves to fuel the ransomware industry.
Defending against ransomware is a two-prong process that starts with developing a strong information governance program to prevent an attack from succeeding. Additionally, a comprehensive response plan should be developed should your network be compromised. Below I share some tips for ransomware prevention and cure. But first, what is ransomware?
Ransomware is a type of malware (harmful software) that seeks to encrypt or remove (kidnap) a target’s data, making it inaccessible unless a ransom is paid. Typically, the computers or servers on a network are inaccessible except for a ransom note indicating how to contact and pay the hackers. The hacker may threaten to disclose the information if the ransom is not paid or if the victim contacts law enforcement. It is estimated that hackers exfiltrate victim data in 70% of ransomware attacks. Additionally, a sophisticated cybercrime organization may lay in wait for months after infecting the network before activating the ransomware, with the intent of compromising data backups to prevent restoration without paying the ransom.
The reputational and financial damage created by a ransomware attack makes victims more willing to quickly pay the ransom so that operations can resume. If there is no other way of restoring the data, they may have no choice but to negotiate with the hackers. In fact, despite the FBI advising victims not to negotiate with hackers or pay a ransom, an entire industry has been formed around the need to negotiate with these bad actors. However, paying the ransom and unlocking the data does not cure any potential breach of sensitive information under state identity theft statutes and HIPAA (Yes, in many scenarios law practices may be considered business associates subject to HIPAA’s Security and Notification Rules.).
Why Law Firms?
In my practice, I primarily assist health care providers with prevention and response to cybersecurity attacks. Health care providers are prime targets due to the sensitivity of the data they maintain and the obligations they have to protect that data. Depending on what information is compromised by the intrusion, health care providers may have to provide HIPAA notification breaches and/or state privacy law notifications to affected individuals. A high risk of economic and reputational harm pushes health care providers to pay the ransom quickly to regain control of the information, and to prevent disruption of business operations. Law practices have very similar considerations. Law firms typically maintain and store large amounts of sensitive data that they are ethically required to protect. This data may include confidential health records, financial information, and other personally identifiable information. Additionally, law firms typically lag behind other industries in prioritizing information and network security. The American Bar Association’s 2020 “Cybersecurity” TechReport noted that only 43% of its survey respondents used file encryption and less than 30% had implemented any type of network intrusion prevention or detection.
Preparedness and Prevention
The first step in preparing for cybersecurity attacks is to make it a priority. Implement a team (do not dump all the responsibility on a single employee) to identify and address issues. Making it a priority also means allocating sufficient funds to deal with both the human and technological sides of preparedness. Your team should develop a plan, including policies and procedures for information security, employee training, and breach response. Basic standards of preparedness include developing policies for transfer, storage, and access of sensitive data. Any time data is transferred out of the network, encryption should be required. Additionally, consider limiting access to sensitive data to only those who need it. Other steps include obtaining cybersecurity insurance coverage, annual training of employees, conducting annual (or more frequent) risk assessments, and continuous phish testing (sending fake phishing emails to employees to see who takes the bait). Your cybersecurity team should work with in-house IT professionals and/or outside IT firms to develop a system of offline data backups, and a plan for rapid restoration of essential data should the network be encrypted. In some cases, systems can be restored from backups, and business operations can quickly resume without having to contact the hackers. Additionally, your team should work with IT professionals to conduct regular testing and hardening of network assets, including penetration testing (a simulated cyberattack). In many cases, early detection can be key, so consider employing real-time threat detection software or services from your IT provider.
A response plan should also be developed to outline how your team should quickly act if the practice falls victim to an attack. Cybersecurity attacks are not completely preventable. Hackers continually adapt and change their attack methods. The human element in inadvertently allowing a hacker to circumvent security measures will always be present. Therefore, a well-developed response plan is essential. Practices should consider who will respond when an attack is noted. Develop a call list that includes your response team, IT professionals, cybersecurity insurer, and potentially an outside cybersecurity response firm.
Response
Once an attack is noted, an all-hands-on-deck mentality should be adopted by your team (even if it’s in the middle of the night). IT staff or outside consultants should be contacted immediately. Time is of the essence if your data is actively being extracted from the network. Decisions may need to be made as to whether or not to take the network offline or to power down systems. Doing so before consulting with IT professionals could be detrimental to later forensic investigation of the attack. Many cybersecurity insurers have incident hotlines and response teams to help you navigate the early stages of an attack. These insurers will also have contacts and relationships with multiple cybersecurity forensics firms if you do not already have an adequate IT response team in place. Consider requesting assistance from federal law enforcement agencies. Many agencies including the FBI, Secret Service, and the Cybersecurity and Infrastructure Agency (CISA) assist ransomware victims. The easiest way to initiate help from law enforcement is to submit a complaint with the FBI’s Internet Crime Complaint Center (IC3). Additionally, it may be helpful to reach out to your local FBI field office. Many field offices have dedicated agents who provide cybercrime assistance and support.
Once the extent of the infection is determined, your team should develop a plan to examine the affected network assets for sensitive information. You may be obligated to report the breach of that information and to take steps to mitigate the damage of the breach under HIPAA and your state’s identity protection laws. Sensitive data found within affected systems should be cataloged and examined to determine if it qualifies as protected health information (PHI) or personally identifiable information (PII). In most cases, your organization may only have 30 to 60 days from the discovery of the breach to comply with relevant federal and state statutes for providing notification to affected individuals. You cannot typically toll these time periods while waiting for your IT team to complete their investigation.
Speaking of the investigation, do not be tempted to cheap out on your forensic investigation. If it is determined that network systems containing sensitive data were compromised by the hacker, a penny spent may be a dollar saved. An in-depth forensic investigation of your servers and firewalls can be a valuable tool in understanding what exactly was accessed by the hackers. For instance, whether or not the presence of ransomware on a network is considered a breach under HIPAA is a fact-specific determination. It may be possible to determine what data was or was not accessed or exfiltrated by the hacker by forensic examination of firewall and security logs, browsing artifacts and the method of intrusion into the system. In some instances, the forensic investigation can give a ransomware victim a basis to determine what sensitive data was actually compromised. This can reduce the number of affected individuals and in turn reduce the expense in providing notification and mitigation.
Increased Law Enforcement Response
If there is a silver lining to be found, it is that U.S. law enforcement agencies have recently stepped up their game in going after cybersecurity threat actors. U.S. Attorney General Merrick Garland recently announced several indictments for key individuals involved in recent ransomware attacks. Prosecutions are on the rise, notorious hacker groups have been shut down, and it appears some foreign governments may be cooperating in cracking down on threat actors within their borders. While this is a promising development in fighting cybercriminals, there is no shortage of new hackers rising to take their place. From 2019 to 2020, ransomware attacks increased by an estimated 158% in North America. It has also been estimated that global cybercrime for 2020 totaled more than $1 trillion. With that kind of money at stake, we will no doubt see continued cybersecurity attacks against public and private entities for years to come. Whether or not your law practice can survive such an attack tomorrow may depend on how well you prepare today.
Additional Resources
Several government agencies have comprehensive information for those wishing to better understand how to prepare and respond to a ransomware attack. Please see the following additional resources:
U.S. Department of Health and Human Services, Office of Civil Rights’ Ransomware Fact Sheet
U.S. Secret Service, Tips for Preparing for a Cyber Incident
About the Author
Daniel T. Swanson is a shareholder at London Amburn, P.C. in Knoxville, TN. He assists health care providers with regulatory and cybersecurity issues, including ransomware attacks, data breach response, and compliance with state and federal notification requirements.