Cyberattacks have risen dramatically in recent years, and there is every reason to believe this trend will continue both as to frequency and sophistication. The exposure of information by cyber breaches can involve extensive legal, financial and reputational liability.
Advanced preparation to deal with the consequences of successful cyberattacks is essential in minimize liability in timely crisis management protocols. Having an experienced team in place for efficient and effective response makes all the difference.
Below is a case study in which RSLG was involved that illustrates the value of advance preparation.
BACKGROUND
The Board of Directors at a midsized regional health system was considering a confidential merger offer with another health system. The merger would have doubled the number of beds and footprint of the system.
On a Friday afternoon, before a three-day weekend, the CIO received a ransom email from an unknown source stating they knew about the merger plans and had personal details of 50,000 patients. A sample of personal details for 500 patients was included in the ransom email as “proof.” The email stated that unless a Bitcoin ransom was paid, they would publish the merger plans and sell the patient information.
RSLG was already conducting due diligence for the merger and was immediately engaged as legal counsel to manage and advise on the incident response and with the aid of forensic computer specialists to assess and contain the threat.
Within 24 Hours: Assessment and Recommendation
The first step was to validate and assess the threat. The forensic team found a discussion on a Tor site that offered to sell the information of the 50,000 patients with information on the same 500 patients provided as a “sample.” We conducted an investigation that determined the client’s server logs had been extracted 60 days earlier. However, careful review of the server logs revealed no evidence that the information of 50,000 patients had been compromised; evidence pointed only to the 500 patients attached to the original ransom email. In addition, forensic review found no evidence that our client’s systems e-mail, or other sensitive documents had been breached.
Since there had already been public speculation regarding a potential merger between the two healthcare systems and no evidence of a wider breach than 500 patients, RSLG concluded and so advised our client that the hackers were most likely bluffing. The hospital system made the decision to not pay the ransom.
Within 48 Hours: Reporting and Communications
Given the extortion, data theft and blackmail, RSLG reported the incident to the Federal Bureau of Investigation and U.S. National Cyber Crime Unit at the Department of Homeland Security.
Timely response was necessary to deal with the 500 patients whose information had been published. The data involved patients’ names, physical home addresses, e- mail address, home phone number and dates of birth—data of high utility to hackers for identity theft or social engineering-based attacks. The decision was taken to notify these patients of the breach and to give them practical guidance on how to reduce the risk of identity fraud. A breach notification was also prepared for the Secretary of the Department of Health and Human Services (HHS) before notifying the affected patients.
Careful management of communications needed to be maintained throughout the investigation. The key was to be transparent: the press release and other notifications would be scrutinized by regulators and patients, so RSLG ensured careful management of communications providing legal sufficiency including technical, legal and commercial messaging.
Steps During Following Week
Best practices in corporate governance require timely reporting to the Board of Directors of a major cyber security incident. In the context of the potential merger, due diligence would examine questions around the adequacy of cyber security that could devalue the company. RSLG facilitated the discussion with the Board of Directors and the prospective purchaser to resolve any potential issues. RSLG was present during these discussions to advise the Board as to management’s response and follow up to the breach. Since the incident had been reported to the U.S. Department of Health and Human Services, a formal investigation of the incident by HHS followed. RSLG assisted management during the course of this investigation and also in regard future preventative actions.
RSLG investigation revealed that the health system had been compromised through a combination of human error, insufficient procedures and processes, and technical vulnerabilities in their IT systems. Further, it was evident that these deficiencies could have been identified prior to the cyber breach through careful legal and technical review.
Remediation During Following Months
RSLG provided the health system with a comprehensive list of remedial measures regarding its systems and processes. As part of the remediation stage, we recommended that their day-to-day network be segregated from the network storing sensitive personal information and healthcare systems. We then worked closely with our client to improve their policies, procedures, and employee awareness to increase the maturity of their cyber program. On-going review would be necessary as the health system evaluated the complexities of moving date storage into the cloud.
CONCLUSIONS
An absolutely critical factor in order to quickly respond appropriately and effectively is to have the proper relationships and team in place. Many responses lose their effectiveness or compound many problems when the first 12-24-48 hours are spent establishing new relationships instead of working on the task at hand to respond and restore operations. Having the right team in place with competence and expertise makes all the difference. The consequences of not being prepared are simply too great.
This case study highlights the need to have to the proper crisis management team in place. The stakes are too high given the many regulatory compliance challenges facing companies today. Ongoing due diligence and risk management practices necessitate companies to have outside legal counsel in place similar to engaging outside financial auditors.