“I can tell you with complete confidence that ransomware attacks harm patients,” says Hannah Neprash, an associate professor of health policy at the University of Minnesota, who has researched the impact of ransomware attacks on U.S. hospitals and clinics. USA concluded that they result in higher mortality rates. “If you are a patient who has the misfortune of being admitted to a hospital when that hospital suffers a ransomware attack, the likelihood of you walking out the doors decreases,” Neprash says. “The longer the interruption, the worse the health outcomes.”
In the hours and days immediately following ransomware attacks, it is common for companies that have software connected to the targeted organization to withdraw their services. This can include everything from disconnecting medical records to refusing to email a victim of a cyberattack. This is where the so-called letters of guarantee come into play.
“We’ve really seen demand for these letters increase in recent years as breaches have become much more litigated, from class action attorneys seeking settlements to lawsuits between companies,” says Chris Cwalina, global head of cybersecurity and privacy. in right. Signed by Norton Rose Fulbright.
Cwalina says he’s not sure where and when the practice of sending letters of assurance began, but he says it likely started with lawyers or security professionals who didn’t understand the legal requirements or the risks they were trying to prevent. “There is no legal requirement to apply for or obtain certification before you can reconnect systems,” says Cwalina.
These assurance and certification letters are often written with the support of specialized cybersecurity companies working to respond to incidents. What can be reconnected and when will vary depending on the specifics of each attack.
But much of decision-making comes down to risk, or at least perceived risk. Charles Carmakal, chief technology officer at Google-owned cybersecurity firm Mandiant, says companies will be concerned that cybercriminals can move “laterally” between the victim and their systems. Companies want to know that a system is clean and that attackers have been removed from the systems, Carmakal says.
“I understand the reason behind the underwriting process. What I would say is that people need to really consider what the risk is associated with the level of connectivity between two parties, and sometimes people tend to go down the more restrictive path,” says Carmakal. For example, it’s rare for Mandiant to see worm ransomware pass from one victim to another, she says.
“Vendors were interested in knowing that third-party, independent cybersecurity experts were collaborating with Scripps technical teams and verifying that malware was contained and remediated with reasonable best efforts,” says Thielman, CIO of Scripps Heath. For Ascension, Fitzpatrick says, the company also held one-on-one calls with suppliers and hosted eight webinars in which it provided updates. It has also shared indicators of compromise (the traces left by attackers on its systems) with healthcare organizations and the US Cybersecurity and Infrastructure Security Agency (CISA).
Third party doctrine
Cybercriminals have become more brazen with attacks on hospitals and medical organizations in recent years; In one case, the Lockbit ransomware gang claimed it had rules against hospital attacks, but hit More than 100. Often, these types of attacks directly impact private sector companies that provide services to public infrastructure or medical organizations.
“If you plausibly look at the threat landscape over the next few years, the disruption of public services and public activity caused by (cybercrime) activity affecting the private sector is likely to happen more and more,” says Ciaran Martin, a professor at the University of Oxford and former director of the UK’s National Cyber Security Centre. In these cases, Martin suggests, questions may arise about whether governments have, or need, powers to order private companies to respond in certain ways.
