State sponsored threats faced by the healthcare industry

In 2012, ransomware began to gain traction as attacks spread across the world and made headline news. Attacks grew at nearly an exponential rate as threat actors continuingly evolved their tactics and methods in search of ever-increasing ransom payments. Historically, the healthcare industry has been the one of the most heavily targeted by cyber threat actors given the large volume of sensitive and confidential information they store and the need to quickly resume lifesaving operations. 2022 offered a glimmer of hope as there was a sharp decrease in the number of reported ransomware attacks. Even with the promising news that ransomware attacks have declined, several recent alerts highlight the need for continued vigilance in the healthcare sector.

To help combat the ransomware threat, the Health Sector CyberSecurity Coordination Center (HC3) was established by the U.S. Department of Health and Human Services to coordinate cybersecurity information sharing across the healthcare sector and help mitigate cyberattacks. HC3 recently issued an alert concerning the Pro-Russian Hacktivist Group ‘KillNet’ Threat to HPH Sector. KillNet is a pro-Russian hacktivist group that previously launched DDoS attacks against several airline websites. KillNet has now turned its attention towards the healthcare and public health sectors. The HC3 alert warned that KillNet claimed to have compromised a U.S.-based healthcare organization that supports the U.S. military and threatened to sell the health and personal data of those individuals. The HC3 alert provided practical steps to help healthcare entities prepare for and respond to a DDoS attack. The HC3 alert was warranted as Microsoft reported that daily DDoS attacks against healthcare organizations increased from 10-20 in November 2022 to 40-60 in February 2023.

Unfortunately, the recent KillNet alert is not the first alert issued by HC3 in connection with a sophisticated nation state threat actor. In November 2022, HC3 issued an alert addressing state-sponsored Iranian threat actors that are known to target the healthcare sector. These state-sponsored threat actors utilize sophisticated social engineering schemes including spear-phishing campaigns to gain access to healthcare networks. Once they gain access to the network, the threat actors move laterally and attempt to establish persistence. The threat actors utilize these attacks to gain access to and exfiltrate personally identifiable information (PII), including protected health information (PHI). PII can be used in later espionage campaigns or sold for monetary gain. The Iranian threat actors are also notorious for launching destructive malware known as wipers, designed to erase and destroy information on a victim’s computer with no hope of recovery. One such attack against a children’s hospital was thwarted in 2021.

Another alert regarding state-sponsored threat actors in the form of an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was issued as part of the ongoing #Stopransomware effort. The advisory warned that North Korean state-sponsored threat actors were using ransomware to target the healthcare sector. CISA warned that the DPRK was targeting the healthcare sector with ransomware variants such as Maui and BitLocker and using part of the proceeds to fund cyber operations targeting the United States and South Korean governments. Unfortunately, these recent alerts represent only a portion of the threats faced by the healthcare sector from state-sponsored actors.

In addition to the threats themselves, healthcare entities need to be cognizant about the additional compliance issues raised by the involvement of state-sponsored threat actors. In October 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the potential sanctions risks for facilitating a ransomware payment to sanctioned persons or jurisdictions. We addressed this in a client alert. That guidance was updated in 2021 and provided examples of designated malicious cyber actors under its sanctions program including groups associated with Iran (SamSam), North Korea (Lazarus), and Russia (Evil Corp.). U.S individuals are prohibited from engaging with individuals or entities on OFAC’S Specifically Designated Nationals and Blocked Persons List (SDN List) or those covered by comprehensive country or region embargos. As a result, a healthcare entity may be subject to civil penalties for sanctions violations for engaging in transactions (e.g. a ransomware payment) with a sanctioned entity, person, or country.

Given OFAC’s ransomware guidance and the potential for civil penalties, the alerts from HC3 and CISA on state-sponsored threat actors should be taken seriously by the healthcare sector.

Finally, the U.S. Food and Drug Administration (FDA) has issued new guidance to the medical device industry stressing the need to address cybersecurity risks in medical devices before they are approved for use. The FDA guidance comes several years after the devastating WannaCry ransomware attack that was attributed to North Korea. WannaCry ransomware infected thousands of devices across the globe and caused millions of dollars in damage. It also was largely considered to be the first instance of ransomware attack directly impacting the operation of a medical device. In the years since WannaCry, the use of connected medical devices and other internet of things (IoT) devices in healthcare organizations has grown significantly, which has not surprisingly led to bad actors looking to exploit new vulnerabilities.

Insurance implications

Most cyber policies afford coverage for ransomware and DDoS attacks. The typical cyber policy includes coverage for first party incident response costs including that incurred for breach counsel, incident response forensic investigators, and extortion loss. However, the coverage afforded for extortion threats and DDoS attacks that may stem from state-sponsored actors are subject to certain conditions and adds a level of complexity to evaluating coverage for these incidents.

If your organization is the victim of a ransomware attack, here are some important considerations:

• You should report the incident to your cyber broker and cyber insurer as well as any other insurer that potentially may afford coverage. There are several considerations to keep in mind when providing notice of a ransomware incident. It is recommended that your broker provide notice directly to the appropriate insurer on your behalf to help maximize the potential coverage. Your broker will have access to the key decision-making contacts at the insurer and will ensure that the correct details are provided with the correct verbiage to trigger all potentially applicable insurance policies available to you.
• A cyber policy will likely require the insurer’s prior written consent before making any ransom payment. Your broker can advise you of your claim-related obligations and ensure that you communicate with the insurer during the claims process to obtain any necessary consent that is required pursuant to the policy. Most cyber policies also contain an OFAC advisory notice that specifies that any payment (not just a ransom payment) be made in full compliance with all economic or trade sanctions. More recently, certain carriers have introduced specific territory exclusions and exclusions for state backed cyber attacks which may impact coverage under the policy. Insurers will require evidence that you are legally permitted to make a ransom payment in order to confirm that it is covered under the policy.
• A cyber insurer will likely recommend engaging breach counsel, a digital forensic and incident response vendor, and potentially a ransom negotiator. These experts work together to assess whether a potential payment would violate U.S. sanctions, coordinate with law enforcement, and, if permissible, facilitate a ransom payment. You should consider engaging your own compliance team to work with the outside vendors to ensure compliance with OFAC and avoid potential penalties.
• In considering whether or not to make a ransomware payment, potential regulatory, operational, and financial impacts to an organization should be also carefully considered.

Conclusion

Despite the recent overall decrease in ransomware attacks through 2022, the healthcare sector continues to be a target. The healthcare industry faces threats from sophisticated state-sponsored actors which adds a level of complexity to preparing for and responding to these incidents. Having a clear understanding of these threats, the compliance issues associated with them and having a risk transfer strategy is imperative.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).