May 20, 2025 • 33 mins
As ransomware attacks grow more sophisticated, health care organizations face not just massive data privacy risks, but real-time threats to operations, patient safety, and regulatory compliance. Dave Bailey, Vice President of Security Services, Clearwater, speaks with Kirk Nahra, Partner, Wilmer Hale, and Paul Schmeltzer, Member, Clark Hill, about how ransomware impacts everything from hospital workflows to enforcement actions, and what health care organizations can do to prepare and respond to the threat. Kirk and Paul spoke about this topic at AHLA’s 2025 Advising Providers: Legal Strategies for AMCs, Physicians, and Hospitals conference in Austin, TX. Sponsored by Clearwater.
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Support for AHLA comes from Clearwater.
As the healthcare industry'slargest pure-play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant, andresilient state so they can
(00:20):
achieve their mission.
The company provides a deep poolof experts across a broad range
of cybersecurity, privacy, andcompliance domains,
purpose-built software thatenables efficient identification
and management of cybersecurityand compliance risks.
and a tech-enabled 24-7-365security operations center with
(00:41):
managed threat detection andresponse capabilities.
For more information, visitclearwatersecurity.com.
SPEAKER_01 (00:53):
Good day.
This is Dave Bailey, VicePresident of Security Services
at Clearwater.
As ransomware attacks grow moresophisticated, healthcare
organizations are facing notjust massive data privacy risk,
but real-time threats tooperations, patient safety and
regulatory compliance.
The fallout is no longer justabout data.
(01:14):
It's about delayed treatments,system shutdowns and legal
consequences with impacts thatcan linger for years.
In this episode, of AHLA'sSpeaking of Health Law podcast,
we'll explore how ransomwareimpacts everything from hospital
workflows to enforcementactions, and most importantly,
what can be done about it.
(01:34):
Joining me for this discussionare Kurt Nara, a partner with
the law firm WilmerHale andco-chair of the firm
Cybersecurity and PrivacyPractice, and Paul Schmelzer, a
member with the law firm ClarkHill, who counsels healthcare
clients on cybersecurity andprivacy incidents.
Kurt and Paul present on thistopic at AHLA's Advising
(01:55):
Providers Conference earlierthis year, and I'm excited to
dive deeper on the topic ofransomware with them today.
Gentlemen, it's great to speakwith you.
Let's jump in.
How have we seen ransomwareattacks disrupting day-to-day
healthcare operations beyonddata access issues?
SPEAKER_02 (02:13):
Well, Dave, the operational impacts from a
ransomware attack go beyond justaccess to the data itself.
A few years ago, for example, Ihad a client that was the victim
of a ransomware attack, veryspecific servers that the threat
actors hit.
When my client failed toacknowledge that there was
(02:33):
ransomware demand and follow upwith a threat actor on the dark
web to negotiate with them, thisthreat actor, for example,
started calling my client'shealthcare operations nonstop,
almost to the point where itjust shut down their operations
or their ability to conductbusiness via telephone.
So that's an example of where athreat actor, if they don't get
the proper response they'relooking for, can really disrupt
(02:56):
the daily operations.
But beyond that, the threatsfrom a ransomware attack are
much more...
severe and can be much more thanjust the data access issue.
For example, if the threatactors hit specific servers or
specific medical devices withinthe facility, for example,
infusion pumps or smart beds,then operationally, the practice
(03:21):
has to scramble to figure outhow they're going to deliver
treatment to patients withoutthose medical devices, for
example.
It could also be issues such asthe inability to conduct
operations and sending patientsto another facility nearby if,
for example, their EHR is down.
(03:41):
And rebuilding it or buying newservers is going to take some
time.
And so these things aren'tinstant.
And so the operational impactwhen you have a ransomware
attack like this goes justbeyond the data access.
SPEAKER_01 (03:55):
Yeah, I echo those comments and would say we're
into the disruptive nature ofransomware.
And obviously we're about a yearout from change healthcare.
And I think we all saw what thepotential impacts are when a
major service that is requiredfor a business to do operations
(04:16):
is not available due to thatransomware attack.
So, you know, once again, it'snot just about the data
recovery, but how is anorganization, you know, how can
they become resilient and beable to continue their business
operations once this type ofdestructive attack happens?
SPEAKER_02 (04:34):
I would just add to that point that, you know, these
these tax are becoming more andmore sophisticated.
And the whole design here is todisrupt operations to the point
where they compel the victim topay a ransom.
So whatever they can do,whatever leverage they can have
on the organization and how theycan disrupt Operation State,
that's what they're going to doto to try to get a payment out
(04:56):
of the victim.
SPEAKER_01 (04:59):
How are regulators like OCR, FTC, state attorney
generals responding toransomware incidents in health
care?
SPEAKER_03 (05:07):
Well, it's a tricky, it's a tricky issue for them.
I mean, they are, you know, forthe most part, particularly, you
know, OCR, which is a privacyspecific, privacy and data
security specific organization.
They don't necessarily have someof the patient care
requirements.
ideas in their mind it's notreally part of their authority
(05:28):
and so what we're seeing iswe're seeing regulators get
interested in these events earlyon you know again often you
learn about them becauseparticularly if there's a major
shutdown of a healthcareinstitution the regulators will
know about that before there'sbeen any kind of breach
reporting.
You know, the breach reportingis usually how they learn about
(05:49):
it.
So they know about these thingsearly on.
So we're often seeing questionscome in before, you know, the
healthcare facilities reallyeven know what they're doing,
what they're, who they'renotifying, who's affecting, I
mean, all kinds of issues likethat.
And so one of the concerns thatI have in just dealing with a
lot of these issues is thatregulator attention too early on
(06:12):
can actually be meaningfullydisruptive of the ability to
fight back in the ransomwareattack.
So I'm a little bit concernedwhen we see regulator pressure
actually create more problemsfor entities that are trying to
recover and deal with theransomware attacks.
SPEAKER_01 (06:32):
Yeah, no, that's extremely good insight.
And also knowing that whensomething like this happens,
it's really important for anorganization to understand what
their obligations are as far asthe response to those
regulators.
And as we all know, we'recontinuing to see additional
(06:56):
pressures, change in law, changein focus on what will be
required of an organization tobe able to respond to these
types of events.
SPEAKER_03 (07:06):
Well, one other point on that is that there's
often a little bit of adisconnect between the impact
from a ransomware attack and thetypical regulatory obligations.
I mean, again, regulatoryobligations typically flow
towards your data was impacted.
We're going to send you a lettertelling you that your data was
(07:28):
impacted in connection withthis.
If what happens is your recordisn't available if you happen to
be in the hospital that day.
That's a very different look.
And the laws are notparticularly well calculated for
that.
And I can think of the firstransomware situation I was ever
involved in.
(07:48):
There was no impact on the data.
The data was not taken.
The systems were shut down.
So it's a very differentanalysis.
And I don't think the I don'tthink the laws are well targeted
for that because the laws aretargeted to these notice points,
which are really not the majorconcern, at least in the first
(08:08):
instance in most ransomwareattacks.
SPEAKER_01 (08:11):
And how have you seen recent enforcement actions
shape the way healthcareorganizations need to prepare
for ransomware threats?
SPEAKER_03 (08:21):
I mean, I guess...
I don't know that I look at theenforcement actions as shaping
too much in the following sense,which is, I am always of the
view, and this is something Isay in speeches, I say to
clients all the time.
I mean, companies should bedoing aggressive security
practices for their own selfishself-interest.
(08:44):
It's not because, it shouldn'tjust be because there's a legal
obligation to do that.
And so, In connection withransomware, what companies
should be doing is they shouldbe learning from the lessons
that affected their peers orother people in the industry.
And so whether there'sultimately an enforcement action
two, three, four years down theroad in connection with one of
(09:06):
these things, Companies have tobe cognizant of what a
ransomware attack is and what itmeans.
They have to be preparing forthat now, again, independent of
enforcement.
You could look at some of theenforcement actions.
There haven't actually been allthat many tied to ransomware,
but you can look through them inthe same way that you could look
at any, using OCR as an example.
(09:26):
You can go through OCRsettlements and come up with a
set of security practices thatOCR has found to be problematic.
It's not that surprising a list,right?
You need to do your riskassessment.
You need to do a bunch of thingslike that.
So you can, I mean, maybe if Ineed to persuade a company who's
not otherwise looking to do thisin the first instance, I can
(09:50):
persuade them by saying, well,look, here's a bunch of cases
that said A, B, C, D.
But for the most part, I want tosay, look, you know what this
risk is.
Let's think through how how thatkind of a risk could affect your
company.
And let's plan for that inadvance.
Again, it's in your own interestto do that.
It's not just a question oflegal obligation.
(10:11):
And that's particularly true fora healthcare facility who's
trying to serve patients.
I mean, you can't serve thepatients if you can't access any
of the records or the systemsthat allow you to treat that.
And the point Paul made earlierabout medical devices and things
like that, That's, again, that'sa huge additional piece of that.
And so companies should bethinking about all of those
(10:31):
issues, not entirely separatefrom enforcement, but
essentially independent.
Don't use the enforcement as away to justify it.
Use the need to solve theseproblems and address these
SPEAKER_02 (10:41):
problems.
Dave, let me interject for amoment here.
Kurt is right in what he justsaid, but I want to just add one
thing.
There's been a recent uptick inin really admittedly older
investigations from 2019 through2021 of settlements that are
being announced by HHS OCR undertheir ransomware and risk
(11:02):
analysis initiatives.
And these are, they're relativenew terms or the settlements
they're putting them under, orthey're calling them these,
these things.
And it's relatively new sinceend of last year, but The fact
is, is that these recentenforcement actions by OCR can,
and unfortunately, I deal with alot of the clients that Kurt's
talking about that don't havethe security in place, the
(11:26):
cybersecurity posture in place.
They don't do regular periodicrisk assessments.
They need to be coaxed.
They need to understand, like,here's your obligations under
state law and federal law,HIPAA, et cetera.
And so these OCR settlements,what they guide my clients to at
least to kind of bring them towater is that they need to be
(11:46):
conducting annual, very thoroughrisk analysis.
And that's the biggest thingthat's missing from a lot of
these mid-sized to smallerpractices.
They don't conduct an annualrisk assessment.
That risk analysis is simply notthere.
It's not documented.
And so when they're hit with acyber attack, whether it's a
ransomware attack or a businessemail compromise, they are
(12:08):
unprepared.
And when that resulting OCRinvestigation happens, they have
nothing to show in terms ofprior risk analysis.
So if I could distill this downinto one thing that these
enforcement actions shape, it'sjust the understanding to some
people in the healthcareindustry that they need to
conduct periodic risk analysis.
(12:30):
And it's got to be thorough.
It just can't be something whereyou're going through the
motions.
It really has to identify therisks that are unique to your
organization.
And so that's the one thing thatmy clients that I have a hard
time selling to because theyhaven't bought into this
already.
They need to understand.
You
SPEAKER_01 (12:46):
know, I echo all of that and will say that.
It is very difficult in today'shealthcare ecosystem to not
manage to risk.
Like you have to understand whatyour risks are.
In order to do that, you have toknow your adversary and
understand that ransomware isreal, that the adversary is
(13:08):
specifically attacking thisparticular industry for
financial gain.
And they are very successful atit.
And doing that thorough riskanalysis, understanding where
all your PHI is and doing thatasset-based approach to
understand what risks you haveand what you need to address and
(13:31):
prioritize.
If you're doing that throughgood risk management practices,
you'll be in a better place andmost likely minimize the impacts
to these types of attacks.
With that said, certainlyhighlighting the practices that
an organization needs toimplement, I want to ask
(13:52):
specifically about incidentresponse.
What do you think the mostcritical elements of
ransomware-specific incidentresponse is?
How do folks need to be preparedto respond to ransomware?
SPEAKER_03 (14:07):
Well, happy to jump in on that one.
I mean, one of the things thatransomware did as a concept is
to focus attention on certainelements of incident response
that, you know, in the earlyyears of the HIPAA security
rule, for example, I don't knowhow much attention people were
really paying to things liketheir backups and how they were
(14:30):
going to run an emergencysituation.
You know, when you were worriedabout a hacker just taking your
data, you had certain thingsthat you were going to prepare
for on that.
Ransomware has forced a shift inthat thinking.
It doesn't mean the other stuffisn't also important, but it
means that you have to beplanning for these alternative
ways of doing your business.
(14:52):
And, you know, I think that onething many companies have found
is like, oh, yeah, we have abackup system, but when you try
to access it doesn't work.
So I think the importance ofhaving alternate ways of running
your business, alternate pathsto your data, alternate paths to
your systems, and reallythinking through that is the
(15:12):
main area that I thinkransomware has uniquely focused
attention on and really madethat a core element of overall
security protection.
SPEAKER_02 (15:25):
Yeah, I would agree with Kurt there, Dave.
You know, Having access to goodbackups and testing your backups
periodically, it's common sense.
It should be common sense, butfor a lot of organizations, it's
not treated that way.
And so they say, yeah, we havebackups, but they don't test
them.
And then the next thing youknow, they're hit with
ransomware.
(15:46):
those backups either are notviable for whatever reason, or
even the threat actor went inand corrupted those backups.
So they're not viable either.
So there's a lot of, you know,the threat actors, they're not
stupid.
They, I mean, sometimes theyare, but in general, they will
go in and say, what are thosepressure points I can inflict on
this organization?
And if it involves a preemptivestrike on the backups and then
(16:08):
going in and, you know,infecting the network and making
it so that both the current EHRdata and the backup data are
unusable, that's an extra layerof stress on that organization.
And that's going to bring themto the bargaining table with the
threat actor, which is what theywant in the first place.
And
SPEAKER_03 (16:26):
I think the other practice that I would really
encourage is the use of good,thoughtful tabletop exercises.
I mean, I think people have, youknow, the the companies who are
more thoughtful about thesepractices tend to go through the
exercise of tabletops.
The companies, you know, some ofthe smaller, medium-sized
companies that Paul was alludingto earlier who aren't focused on
(16:48):
this probably aren't doing atabletop either, but really
thinking through all of theseissues to try to come up with a
good creative scenario andreally get the right, you know,
the right people involved.
And it's not, you know, it's nota small group a lot of times.
I mean, that's one of the otherstriking things about so many of
these incidents is how you know,broadly, these things are felt
(17:09):
across a company.
And you really want to make sureyou're getting a good cross
section of your population, notthe consumer population, but I
mean, your employee populationinvolved in a good, thoughtful
tabletop exercise.
Because those exercises, I'm notgoing to say it's 100% of the
time, but Boy, a really largepercentage of them, people are,
oh, yeah, we didn't think aboutthat, or we missed that we
(17:30):
needed to include that, or we,you know, this new acquisition
we had didn't get brought intothe risk assessment, or we
opened a new office thatoperates a different way, and we
didn't factor that in.
So I think that those are,again, a really good– they're a
backup to the idea about havinggood backups, but they're a
strategic backup on that toreally run a good tabletop
exercise.
SPEAKER_01 (17:51):
Yeah, no, I– echo all of that and will say, I
think some of the criticalelements for ransomware It's
extremely important fororganizations to understand
what's important from a businessperspective, having that good
business impact analysis,because a good incident response
plan should align to thatbusiness impact analysis to make
(18:13):
sure that they have the abilityto quickly respond, certainly
from how to deal with adisruption.
And I think that is key.
The other The other thing that Ialways try to help with our
clients is don't wait until theransomware event to figure out
who you need to talk to and makesure that all of those key
(18:34):
stakeholders, not only yourpartners, but law enforcement,
anybody that you feel would beinvolved if you had a ransomware
incident, that you foster arelationship with that entity,
that organization.
Because if you don't have one,speed is extremely important in
response and trying to to figureout who you need to talk to
(18:57):
during a response can be verychallenging.
And I think one of the visualsthat I always had with tabletops
is, If you ask someone, hey, doyou have an incident response
plan?
And they say, sure, we do.
And they take off the shelf.
And once again, this is visual,that shiny brand new binder that
(19:19):
looks brand new.
And they say, here's theincident response plan versus
the person that takes off theratty binder that has all the
pages stuck in with the notesand the tabs and everything in
it.
I would say that probably theratty binder, that organization
is better well prepared becauseit means that they're practicing
and that they're constantlygoing over the necessary things.
(19:41):
Because once again, this threatis real.
This is not a threat that, youknow, may happen in healthcare,
as we can see just by the numberof threat actors alone that are
targeting healthcare.
You know, you can look at allthe statistics right now and go
out and see how many of thesethreat actors are actually
attacking US healthcareindustry.
(20:03):
And there's multiple, it's notjust a small group of people
there.
There are many cyber criminalsthat are, you know, trying to
exploit this.
So I certainly echo.
SPEAKER_02 (20:15):
Yeah.
Let me add some to that, Dave.
I would just add that as someonewho does a lot of tabletops for
clients, I'll say that...
probably one out of every threeor one out of every five clients
that comes to me says, oh, Ihave an instant response plan,
but it's not finished yet.
And they'll send me over whatthey have.
And it is basically an instantresponse plan.
(20:36):
And I go, well, what's notfinished about this?
Oh, well, we need to do this orthat.
We got to add this.
And I'm like, look, instantresponse plan.
When we go through the tabletopexercise, you're going to come
back after that exercise andmake modifications to it.
You're going to add to it.
You're This is a living,breathing document.
Like you said, the rattierbinder on the shelf, that's the
(20:57):
one that's been pulled out andused more.
That's the one I'm looking for.
A lot of my clients, they've gotthese new, neat binders.
They haven't even broken, theyhaven't even put it in a binder
if you want to use the imagerythere.
because they're worried thatit's not complete.
It's never going to really becomplete, especially
pre-tabletop, their first evertabletop exercise.
(21:18):
And that's one of the purposesof these tabletop exercises, to
go in and really test yourinstant response plan.
It's not set in stone.
It's going to be modified after.
We're going to learn lessonsthrough the exercise.
It's going to get you know,additional revisions to it.
And that's the thing.
A lot of my clients are likereally hesitant to share this
document.
I'm like, look, we need to seewhat it looks like now because
(21:40):
what it's going to turn outlooking like post tabletop
exercise is going to besomething that's going to be
much more useful to yourorganization.
SPEAKER_03 (21:48):
Well, just to add to that, I think it's, I mean,
that's a good way to think aboutit.
It's not that, you know, atabletop that identifies
additional things to payattention to is not a you know,
a low grade on your incidentresponse plan.
It's exactly the kind of lessonyou should be learning.
And so I think that point aboutperfection is absolutely right
(22:09):
on.
I mean, again, I wouldn't do atabletop before you've even
thought about what your incidentresponse plan is.
But if you have, you know, ifyou have a document that's like,
okay, here's, we've taken a shotat it, let's figure out how to
make it work.
I think it's really, thetabletops are really good
learning exercises to make surethat that incident response plan
hits all the right things.
And Dave, I want to go back toone other thing you mentioned a
couple of minutes ago that'sjust really important is the law
(22:29):
enforcement connection on this,which is the relationship
between industry and lawenforcement in the data security
world has not always been asmooth relationship.
And I'm not going to say it'salways smooth now, but I will
say that the attention that lawenforcement gives to these
(22:50):
ransomware attacks is quitesubstantial, and they are often
very helpful.
I mean, they're not going togive you everything they've got
in their investigation.
But I mean, they can be veryhelpful.
They can give usefulinformation.
They are often investigating thesame kind of folks.
There's, I mean, I agree thatthere are lots of them, but
there are certainly repeatplayers.
There are people who try tobuild a reputation in this area
(23:13):
for good or bad.
Law enforcement often canconvey, you know, what they know
about a particular threat actor.
And so I do think that havingthose relationships, at least
knowing, you know, knowing whoit's going to be and who you're
going to reach out to and You'regoing to think about if you're a
hospital system that hasfacilities in 10 different
states, is there somebody thatyou're focusing your attention
(23:36):
on?
It's probably hard to get 10different relationships going.
So I do think that that lawenforcement component should be
a critical part of not justransomware, it's overall
information security, but Ithink it's particularly useful
in the ransomware contextbecause the law enforcement
people are more likely to havesome useful information that
they are often willing to shareto some extent.
SPEAKER_01 (23:56):
Yeah, no, excellent point on that.
And we'll just say and remindeveryone that Ransomware is the
end of the attack chain, whichusually means that there's lots
of things that have occurred upuntil that particular point and
the assumptions that the threatactor has your data.
And you may be at a point whereyou're noticing the disruptions
(24:18):
due to all the data encryption.
The days of ransomware...
being kept or swept under therug are over.
Not that people should be doingthat, but usually if ransomware
has occurred, it means thatthere's a threat actor that's
(24:38):
already talking about it and isreaching out to you from an
extortion standpoint.
They may already be going publicwith that.
You would have to assume thatthe news media and law
enforcement are going to know,and I would just echo and tell
everyone, at least have therelationship.
It's still going to be up to theorganization and their ultimate
(25:00):
decision to involve who theyfeel they need to involve in the
incident response.
But it's really good to have therelationship there with that.
All right, question for the bothof you.
If you had a client right nowtoday that contacted you and
(25:23):
said, hey, we're having aransomware attack right now,
what recommendations do you havefor them and how they should go
about navigating that ransomwareincident?
SPEAKER_02 (25:36):
Kurt, you want to start this one off?
SPEAKER_03 (25:39):
Sure.
Well, look, I think the mostimportant thing to be thinking
about right away is what youthink is impacted.
Now, lots of these incidentshave sort of a, you know, I'm
sure there's a military analogy,but like sort of a false front
and then you move, you know, butbecause, and this goes back to
(26:00):
what Paul started off with inthe discussion, I mean, because
there are so many operationalissues connected with that,
you're really trying to triagethat operational support.
You want to figure out wherethey are.
You want to get You want to getyour IT people or a forensic
firm, if you're working withthem, you want to get them
involved quickly to make surethat you can try to limit the
(26:22):
access that they have.
I mean, there certainly havebeen a number of recent
situations where quick actionhas not eliminated the threat,
but it has prevented the spreadof the threat.
And I guess that one thing thatjust also flags, you mentioned
law enforcement a few minutesago, having relationships.
I also want to make sure thatyour company has a relationship
with a forensic firm upfront whocan be, you know, usually we try
(26:45):
to have, you know, a privilegedengagement letter that we can
sort of leverage quickly.
So, you know, waste 24 hours or48 hours figuring out who that
is and getting a document signedand things like that.
You want to think about it.
This is part of your incidentresponse.
You want to make sure thatyou've thought about the vendors
that you need to have in place,including a law firm for that
matter.
You want to have those in placeright up front so that just
(27:07):
getting somebody up to speed andonboarded is not a delay factor.
Because really moving quickly ina very thoughtful way, I think,
is the most important stepthere.
SPEAKER_02 (27:18):
Yeah.
And just to add to what Kurtjust said, Dave, When, you know,
in those initial minutes of aransomware event coming in, my
first question for the clientis, what's the data?
What do we know about the dataand what's impacted here?
Because that will reallyinfluence what forensic vendor I
send them to if they need aforensic vendor.
In a lot of cases, that's one ofthe first steps is let's get in
(27:41):
outside forensics because yourIT people have probably been up
for a little while trying tofigure out what's going on.
Let's bring in some externalhelp.
But the external help that'sbrought in, it really depends on
the value and the flavor of thedata that's impacted.
And we might not know this rightnow, but it really matters at
some point to have thatdiscussion.
(28:01):
And hopefully it's earlier inthe event and then later so that
I can bring in the rightforensics firms.
So, for example, if I need afirm that is adept at
negotiating with a threat actoron paying a ransom, you know,
I'm going to go with one vendorover, say, another.
There's specific, you know,priorities and preferences I
have, it really depends on thenature of the attack and what
(28:25):
data is at stake.
So that's really going toinfluence the next step.
But the next step in my headwould certainly be to reach out
to a third-party forensicsvendor, in most cases, to assist
with eradicating the threat andthen rebuilding and determining
what data is at stake.
SPEAKER_01 (28:44):
It's also important to add to that, if you don't
already have an establishedincident response plan, to reach
out to someone who can assistyou in that response, not only
from the first responderperspective, determining what
happened, are you still underattack, but then help with the
(29:06):
potential things like ransomwarenegotiation, like helping with
the understanding, do you pay ornot pay?
Do you even have the ability topay?
Are there Bitcoin avenues foryou?
And you would certainly wantsomeone with expertise that has
dealt with ransomwarenegotiation to be able to assist
(29:28):
you in that particular process.
I think one of the biggestthings that occurs in helping
and prepping clients with theirincident response is working
with leaders in an organizationthat are ultimately going to
have to make decisions with nota lot of information.
(29:49):
Most leaders like to haveinformation at their fingertips
in order to make a sounddecision.
And at times, certainly inransomware, the preparedness
that they need to at leastestablish that, hey, I may not
have all of the information butare going to have to make a
decision that may be criticalfor us to you know not only
survive but to but to continuewith patient care or or you know
(30:13):
continue with the the leastamount of impact so i think um
That's some of the biggestthings I would ultimately tell
someone.
If it happens to you, pleasereach out.
Please reach out to folks likePaul and Kurt and understand and
get help throughout the process.
I think it's extremelyimportant.
SPEAKER_03 (30:32):
Well, and your point about leadership may be similar
to what Paul said earlier aboutthe perfection of the incident
response plan.
It doesn't need to be perfect.
Move it along.
Here, you're never going to haveall the information exactly as
you said.
And so I think...
building that comfort level upfront.
So have a company be cognizantof their general approach, be
(30:55):
cognizant of how this wouldactually work in practice.
I mean, some companies are goingto have an absolute idea that
they would never pay a ransom.
Then it hits and you've got allthese challenges.
So I do think that it's likemany of the relationships in
this area.
It is always going to be betterif you have built it upfront,
(31:18):
not in a crisis situation.
I mean, you can cement it, youcan work, you know, but the
crisis management is much betterwhen you're working with people
that you're used to working withand you're comfortable working
with.
And that goes, you know, thatgoes for the internal legal,
that goes for the IT securitypeople, that goes for senior
management.
That's true across the board onthat.
(31:38):
Now that's not, you know, that'snot always gonna happen.
And we certainly, I mean, Pauland I are both involved in
situations where the first timeyou hear from a client is
they're in the middle of aransomware attack.
I mean, I'm always a littlesurprised by that.
But you have sort of a desiredway to do this, which would
involve before anything happensand thinking about their plans
(32:02):
and evaluating their securityand working on all of that
stuff.
And then you can get brought inin other situations that's less
desirable, but where there's anongoing active incident.
We also get situations wherewe're brought in after the
incident to handle theregulatory investigations or
notice questions and things likethat.
So you've got that sort oftimeline.
It's in the company's interestas much as you can to start at
(32:26):
the earliest part of thattimeline that you can.
SPEAKER_01 (32:30):
Well, gentlemen, it has been an absolute pleasure
today.
Kurt and Paul, thanks for theexcellent insights that you
shared.
And to our audience, thanks forlistening.
We hope you found this episodehelpful.
Have a great rest of your day.
SPEAKER_03 (32:44):
Thank you for having us.
Thank you, Dave.
SPEAKER_00 (32:51):
Thank you for listening.
If you enjoyed this episode, besure to subscribe to AHLA's
Speaking of Health Law whereveryou get your podcasts.
To learn more about AHLA and theeducational resources available
to the health law community,visit americanhealthlaw.org.
Support for AHLA comes from Clearwater.
As the healthcare industry'slargest pure-play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant, andresilient state so they can
(00:20):
achieve their mission.
The company provides a deep poolof experts across a broad range
of cybersecurity, privacy, andcompliance domains,
purpose-built software thatenables efficient identification
and management of cybersecurityand compliance risks.
and a tech-enabled 24-7-365security operations center with
(00:41):
managed threat detection andresponse capabilities.
For more information, visitclearwatersecurity.com.
SPEAKER_01 (00:53):
Good day.
This is Dave Bailey, VicePresident of Security Services
at Clearwater.
As ransomware attacks grow moresophisticated, healthcare
organizations are facing notjust massive data privacy risk,
but real-time threats tooperations, patient safety and
regulatory compliance.
The fallout is no longer justabout data.
(01:14):
It's about delayed treatments,system shutdowns and legal
consequences with impacts thatcan linger for years.
In this episode, of AHLA'sSpeaking of Health Law podcast,
we'll explore how ransomwareimpacts everything from hospital
workflows to enforcementactions, and most importantly,
what can be done about it.
(01:34):
Joining me for this discussionare Kurt Nara, a partner with
the law firm WilmerHale andco-chair of the firm
Cybersecurity and PrivacyPractice, and Paul Schmelzer, a
member with the law firm ClarkHill, who counsels healthcare
clients on cybersecurity andprivacy incidents.
Kurt and Paul present on thistopic at AHLA's Advising
(01:55):
Providers Conference earlierthis year, and I'm excited to
dive deeper on the topic ofransomware with them today.
Gentlemen, it's great to speakwith you.
Let's jump in.
How have we seen ransomwareattacks disrupting day-to-day
healthcare operations beyonddata access issues?
SPEAKER_02 (02:13):
Well, Dave, the operational impacts from a
ransomware attack go beyond justaccess to the data itself.
A few years ago, for example, Ihad a client that was the victim
of a ransomware attack, veryspecific servers that the threat
actors hit.
When my client failed toacknowledge that there was
(02:33):
ransomware demand and follow upwith a threat actor on the dark
web to negotiate with them, thisthreat actor, for example,
started calling my client'shealthcare operations nonstop,
almost to the point where itjust shut down their operations
or their ability to conductbusiness via telephone.
So that's an example of where athreat actor, if they don't get
the proper response they'relooking for, can really disrupt
(02:56):
the daily operations.
But beyond that, the threatsfrom a ransomware attack are
much more...
severe and can be much more thanjust the data access issue.
For example, if the threatactors hit specific servers or
specific medical devices withinthe facility, for example,
infusion pumps or smart beds,then operationally, the practice
(03:21):
has to scramble to figure outhow they're going to deliver
treatment to patients withoutthose medical devices, for
example.
It could also be issues such asthe inability to conduct
operations and sending patientsto another facility nearby if,
for example, their EHR is down.
(03:41):
And rebuilding it or buying newservers is going to take some
time.
And so these things aren'tinstant.
And so the operational impactwhen you have a ransomware
attack like this goes justbeyond the data access.
SPEAKER_01 (03:55):
Yeah, I echo those comments and would say we're
into the disruptive nature ofransomware.
And obviously we're about a yearout from change healthcare.
And I think we all saw what thepotential impacts are when a
major service that is requiredfor a business to do operations
(04:16):
is not available due to thatransomware attack.
So, you know, once again, it'snot just about the data
recovery, but how is anorganization, you know, how can
they become resilient and beable to continue their business
operations once this type ofdestructive attack happens?
SPEAKER_02 (04:34):
I would just add to that point that, you know, these
these tax are becoming more andmore sophisticated.
And the whole design here is todisrupt operations to the point
where they compel the victim topay a ransom.
So whatever they can do,whatever leverage they can have
on the organization and how theycan disrupt Operation State,
that's what they're going to doto to try to get a payment out
(04:56):
of the victim.
SPEAKER_01 (04:59):
How are regulators like OCR, FTC, state attorney
generals responding toransomware incidents in health
care?
SPEAKER_03 (05:07):
Well, it's a tricky, it's a tricky issue for them.
I mean, they are, you know, forthe most part, particularly, you
know, OCR, which is a privacyspecific, privacy and data
security specific organization.
They don't necessarily have someof the patient care
requirements.
ideas in their mind it's notreally part of their authority
(05:28):
and so what we're seeing iswe're seeing regulators get
interested in these events earlyon you know again often you
learn about them becauseparticularly if there's a major
shutdown of a healthcareinstitution the regulators will
know about that before there'sbeen any kind of breach
reporting.
You know, the breach reportingis usually how they learn about
(05:49):
it.
So they know about these thingsearly on.
So we're often seeing questionscome in before, you know, the
healthcare facilities reallyeven know what they're doing,
what they're, who they'renotifying, who's affecting, I
mean, all kinds of issues likethat.
And so one of the concerns thatI have in just dealing with a
lot of these issues is thatregulator attention too early on
(06:12):
can actually be meaningfullydisruptive of the ability to
fight back in the ransomwareattack.
So I'm a little bit concernedwhen we see regulator pressure
actually create more problemsfor entities that are trying to
recover and deal with theransomware attacks.
SPEAKER_01 (06:32):
Yeah, no, that's extremely good insight.
And also knowing that whensomething like this happens,
it's really important for anorganization to understand what
their obligations are as far asthe response to those
regulators.
And as we all know, we'recontinuing to see additional
(06:56):
pressures, change in law, changein focus on what will be
required of an organization tobe able to respond to these
types of events.
SPEAKER_03 (07:06):
Well, one other point on that is that there's
often a little bit of adisconnect between the impact
from a ransomware attack and thetypical regulatory obligations.
I mean, again, regulatoryobligations typically flow
towards your data was impacted.
We're going to send you a lettertelling you that your data was
(07:28):
impacted in connection withthis.
If what happens is your recordisn't available if you happen to
be in the hospital that day.
That's a very different look.
And the laws are notparticularly well calculated for
that.
And I can think of the firstransomware situation I was ever
involved in.
(07:48):
There was no impact on the data.
The data was not taken.
The systems were shut down.
So it's a very differentanalysis.
And I don't think the I don'tthink the laws are well targeted
for that because the laws aretargeted to these notice points,
which are really not the majorconcern, at least in the first
(08:08):
instance in most ransomwareattacks.
SPEAKER_01 (08:11):
And how have you seen recent enforcement actions
shape the way healthcareorganizations need to prepare
for ransomware threats?
SPEAKER_03 (08:21):
I mean, I guess...
I don't know that I look at theenforcement actions as shaping
too much in the following sense,which is, I am always of the
view, and this is something Isay in speeches, I say to
clients all the time.
I mean, companies should bedoing aggressive security
practices for their own selfishself-interest.
(08:44):
It's not because, it shouldn'tjust be because there's a legal
obligation to do that.
And so, In connection withransomware, what companies
should be doing is they shouldbe learning from the lessons
that affected their peers orother people in the industry.
And so whether there'sultimately an enforcement action
two, three, four years down theroad in connection with one of
(09:06):
these things, Companies have tobe cognizant of what a
ransomware attack is and what itmeans.
They have to be preparing forthat now, again, independent of
enforcement.
You could look at some of theenforcement actions.
There haven't actually been allthat many tied to ransomware,
but you can look through them inthe same way that you could look
at any, using OCR as an example.
(09:26):
You can go through OCRsettlements and come up with a
set of security practices thatOCR has found to be problematic.
It's not that surprising a list,right?
You need to do your riskassessment.
You need to do a bunch of thingslike that.
So you can, I mean, maybe if Ineed to persuade a company who's
not otherwise looking to do thisin the first instance, I can
(09:50):
persuade them by saying, well,look, here's a bunch of cases
that said A, B, C, D.
But for the most part, I want tosay, look, you know what this
risk is.
Let's think through how how thatkind of a risk could affect your
company.
And let's plan for that inadvance.
Again, it's in your own interestto do that.
It's not just a question oflegal obligation.
(10:11):
And that's particularly true fora healthcare facility who's
trying to serve patients.
I mean, you can't serve thepatients if you can't access any
of the records or the systemsthat allow you to treat that.
And the point Paul made earlierabout medical devices and things
like that, That's, again, that'sa huge additional piece of that.
And so companies should bethinking about all of those
(10:31):
issues, not entirely separatefrom enforcement, but
essentially independent.
Don't use the enforcement as away to justify it.
Use the need to solve theseproblems and address these
SPEAKER_02 (10:41):
problems.
Dave, let me interject for amoment here.
Kurt is right in what he justsaid, but I want to just add one
thing.
There's been a recent uptick inin really admittedly older
investigations from 2019 through2021 of settlements that are
being announced by HHS OCR undertheir ransomware and risk
(11:02):
analysis initiatives.
And these are, they're relativenew terms or the settlements
they're putting them under, orthey're calling them these,
these things.
And it's relatively new sinceend of last year, but The fact
is, is that these recentenforcement actions by OCR can,
and unfortunately, I deal with alot of the clients that Kurt's
talking about that don't havethe security in place, the
(11:26):
cybersecurity posture in place.
They don't do regular periodicrisk assessments.
They need to be coaxed.
They need to understand, like,here's your obligations under
state law and federal law,HIPAA, et cetera.
And so these OCR settlements,what they guide my clients to at
least to kind of bring them towater is that they need to be
(11:46):
conducting annual, very thoroughrisk analysis.
And that's the biggest thingthat's missing from a lot of
these mid-sized to smallerpractices.
They don't conduct an annualrisk assessment.
That risk analysis is simply notthere.
It's not documented.
And so when they're hit with acyber attack, whether it's a
ransomware attack or a businessemail compromise, they are
(12:08):
unprepared.
And when that resulting OCRinvestigation happens, they have
nothing to show in terms ofprior risk analysis.
So if I could distill this downinto one thing that these
enforcement actions shape, it'sjust the understanding to some
people in the healthcareindustry that they need to
conduct periodic risk analysis.
(12:30):
And it's got to be thorough.
It just can't be something whereyou're going through the
motions.
It really has to identify therisks that are unique to your
organization.
And so that's the one thing thatmy clients that I have a hard
time selling to because theyhaven't bought into this
already.
They need to understand.
You
SPEAKER_01 (12:46):
know, I echo all of that and will say that.
It is very difficult in today'shealthcare ecosystem to not
manage to risk.
Like you have to understand whatyour risks are.
In order to do that, you have toknow your adversary and
understand that ransomware isreal, that the adversary is
(13:08):
specifically attacking thisparticular industry for
financial gain.
And they are very successful atit.
And doing that thorough riskanalysis, understanding where
all your PHI is and doing thatasset-based approach to
understand what risks you haveand what you need to address and
(13:31):
prioritize.
If you're doing that throughgood risk management practices,
you'll be in a better place andmost likely minimize the impacts
to these types of attacks.
With that said, certainlyhighlighting the practices that
an organization needs toimplement, I want to ask
(13:52):
specifically about incidentresponse.
What do you think the mostcritical elements of
ransomware-specific incidentresponse is?
How do folks need to be preparedto respond to ransomware?
SPEAKER_03 (14:07):
Well, happy to jump in on that one.
I mean, one of the things thatransomware did as a concept is
to focus attention on certainelements of incident response
that, you know, in the earlyyears of the HIPAA security
rule, for example, I don't knowhow much attention people were
really paying to things liketheir backups and how they were
(14:30):
going to run an emergencysituation.
You know, when you were worriedabout a hacker just taking your
data, you had certain thingsthat you were going to prepare
for on that.
Ransomware has forced a shift inthat thinking.
It doesn't mean the other stuffisn't also important, but it
means that you have to beplanning for these alternative
ways of doing your business.
(14:52):
And, you know, I think that onething many companies have found
is like, oh, yeah, we have abackup system, but when you try
to access it doesn't work.
So I think the importance ofhaving alternate ways of running
your business, alternate pathsto your data, alternate paths to
your systems, and reallythinking through that is the
(15:12):
main area that I thinkransomware has uniquely focused
attention on and really madethat a core element of overall
security protection.
SPEAKER_02 (15:25):
Yeah, I would agree with Kurt there, Dave.
You know, Having access to goodbackups and testing your backups
periodically, it's common sense.
It should be common sense, butfor a lot of organizations, it's
not treated that way.
And so they say, yeah, we havebackups, but they don't test
them.
And then the next thing youknow, they're hit with
ransomware.
(15:46):
those backups either are notviable for whatever reason, or
even the threat actor went inand corrupted those backups.
So they're not viable either.
So there's a lot of, you know,the threat actors, they're not
stupid.
They, I mean, sometimes theyare, but in general, they will
go in and say, what are thosepressure points I can inflict on
this organization?
And if it involves a preemptivestrike on the backups and then
(16:08):
going in and, you know,infecting the network and making
it so that both the current EHRdata and the backup data are
unusable, that's an extra layerof stress on that organization.
And that's going to bring themto the bargaining table with the
threat actor, which is what theywant in the first place.
And
SPEAKER_03 (16:26):
I think the other practice that I would really
encourage is the use of good,thoughtful tabletop exercises.
I mean, I think people have, youknow, the the companies who are
more thoughtful about thesepractices tend to go through the
exercise of tabletops.
The companies, you know, some ofthe smaller, medium-sized
companies that Paul was alludingto earlier who aren't focused on
(16:48):
this probably aren't doing atabletop either, but really
thinking through all of theseissues to try to come up with a
good creative scenario andreally get the right, you know,
the right people involved.
And it's not, you know, it's nota small group a lot of times.
I mean, that's one of the otherstriking things about so many of
these incidents is how you know,broadly, these things are felt
(17:09):
across a company.
And you really want to make sureyou're getting a good cross
section of your population, notthe consumer population, but I
mean, your employee populationinvolved in a good, thoughtful
tabletop exercise.
Because those exercises, I'm notgoing to say it's 100% of the
time, but Boy, a really largepercentage of them, people are,
oh, yeah, we didn't think aboutthat, or we missed that we
(17:30):
needed to include that, or we,you know, this new acquisition
we had didn't get brought intothe risk assessment, or we
opened a new office thatoperates a different way, and we
didn't factor that in.
So I think that those are,again, a really good– they're a
backup to the idea about havinggood backups, but they're a
strategic backup on that toreally run a good tabletop
exercise.
SPEAKER_01 (17:51):
Yeah, no, I– echo all of that and will say, I
think some of the criticalelements for ransomware It's
extremely important fororganizations to understand
what's important from a businessperspective, having that good
business impact analysis,because a good incident response
plan should align to thatbusiness impact analysis to make
(18:13):
sure that they have the abilityto quickly respond, certainly
from how to deal with adisruption.
And I think that is key.
The other The other thing that Ialways try to help with our
clients is don't wait until theransomware event to figure out
who you need to talk to and makesure that all of those key
(18:34):
stakeholders, not only yourpartners, but law enforcement,
anybody that you feel would beinvolved if you had a ransomware
incident, that you foster arelationship with that entity,
that organization.
Because if you don't have one,speed is extremely important in
response and trying to to figureout who you need to talk to
(18:57):
during a response can be verychallenging.
And I think one of the visualsthat I always had with tabletops
is, If you ask someone, hey, doyou have an incident response
plan?
And they say, sure, we do.
And they take off the shelf.
And once again, this is visual,that shiny brand new binder that
(19:19):
looks brand new.
And they say, here's theincident response plan versus
the person that takes off theratty binder that has all the
pages stuck in with the notesand the tabs and everything in
it.
I would say that probably theratty binder, that organization
is better well prepared becauseit means that they're practicing
and that they're constantlygoing over the necessary things.
(19:41):
Because once again, this threatis real.
This is not a threat that, youknow, may happen in healthcare,
as we can see just by the numberof threat actors alone that are
targeting healthcare.
You know, you can look at allthe statistics right now and go
out and see how many of thesethreat actors are actually
attacking US healthcareindustry.
(20:03):
And there's multiple, it's notjust a small group of people
there.
There are many cyber criminalsthat are, you know, trying to
exploit this.
So I certainly echo.
SPEAKER_02 (20:15):
Yeah.
Let me add some to that, Dave.
I would just add that as someonewho does a lot of tabletops for
clients, I'll say that...
probably one out of every threeor one out of every five clients
that comes to me says, oh, Ihave an instant response plan,
but it's not finished yet.
And they'll send me over whatthey have.
And it is basically an instantresponse plan.
(20:36):
And I go, well, what's notfinished about this?
Oh, well, we need to do this orthat.
We got to add this.
And I'm like, look, instantresponse plan.
When we go through the tabletopexercise, you're going to come
back after that exercise andmake modifications to it.
You're going to add to it.
You're This is a living,breathing document.
Like you said, the rattierbinder on the shelf, that's the
(20:57):
one that's been pulled out andused more.
That's the one I'm looking for.
A lot of my clients, they've gotthese new, neat binders.
They haven't even broken, theyhaven't even put it in a binder
if you want to use the imagerythere.
because they're worried thatit's not complete.
It's never going to really becomplete, especially
pre-tabletop, their first evertabletop exercise.
(21:18):
And that's one of the purposesof these tabletop exercises, to
go in and really test yourinstant response plan.
It's not set in stone.
It's going to be modified after.
We're going to learn lessonsthrough the exercise.
It's going to get you know,additional revisions to it.
And that's the thing.
A lot of my clients are likereally hesitant to share this
document.
I'm like, look, we need to seewhat it looks like now because
(21:40):
what it's going to turn outlooking like post tabletop
exercise is going to besomething that's going to be
much more useful to yourorganization.
SPEAKER_03 (21:48):
Well, just to add to that, I think it's, I mean,
that's a good way to think aboutit.
It's not that, you know, atabletop that identifies
additional things to payattention to is not a you know,
a low grade on your incidentresponse plan.
It's exactly the kind of lessonyou should be learning.
And so I think that point aboutperfection is absolutely right
(22:09):
on.
I mean, again, I wouldn't do atabletop before you've even
thought about what your incidentresponse plan is.
But if you have, you know, ifyou have a document that's like,
okay, here's, we've taken a shotat it, let's figure out how to
make it work.
I think it's really, thetabletops are really good
learning exercises to make surethat that incident response plan
hits all the right things.
And Dave, I want to go back toone other thing you mentioned a
couple of minutes ago that'sjust really important is the law
(22:29):
enforcement connection on this,which is the relationship
between industry and lawenforcement in the data security
world has not always been asmooth relationship.
And I'm not going to say it'salways smooth now, but I will
say that the attention that lawenforcement gives to these
(22:50):
ransomware attacks is quitesubstantial, and they are often
very helpful.
I mean, they're not going togive you everything they've got
in their investigation.
But I mean, they can be veryhelpful.
They can give usefulinformation.
They are often investigating thesame kind of folks.
There's, I mean, I agree thatthere are lots of them, but
there are certainly repeatplayers.
There are people who try tobuild a reputation in this area
(23:13):
for good or bad.
Law enforcement often canconvey, you know, what they know
about a particular threat actor.
And so I do think that havingthose relationships, at least
knowing, you know, knowing whoit's going to be and who you're
going to reach out to and You'regoing to think about if you're a
hospital system that hasfacilities in 10 different
states, is there somebody thatyou're focusing your attention
(23:36):
on?
It's probably hard to get 10different relationships going.
So I do think that that lawenforcement component should be
a critical part of not justransomware, it's overall
information security, but Ithink it's particularly useful
in the ransomware contextbecause the law enforcement
people are more likely to havesome useful information that
they are often willing to shareto some extent.
SPEAKER_01 (23:56):
Yeah, no, excellent point on that.
And we'll just say and remindeveryone that Ransomware is the
end of the attack chain, whichusually means that there's lots
of things that have occurred upuntil that particular point and
the assumptions that the threatactor has your data.
And you may be at a point whereyou're noticing the disruptions
(24:18):
due to all the data encryption.
The days of ransomware...
being kept or swept under therug are over.
Not that people should be doingthat, but usually if ransomware
has occurred, it means thatthere's a threat actor that's
(24:38):
already talking about it and isreaching out to you from an
extortion standpoint.
They may already be going publicwith that.
You would have to assume thatthe news media and law
enforcement are going to know,and I would just echo and tell
everyone, at least have therelationship.
It's still going to be up to theorganization and their ultimate
(25:00):
decision to involve who theyfeel they need to involve in the
incident response.
But it's really good to have therelationship there with that.
All right, question for the bothof you.
If you had a client right nowtoday that contacted you and
(25:23):
said, hey, we're having aransomware attack right now,
what recommendations do you havefor them and how they should go
about navigating that ransomwareincident?
SPEAKER_02 (25:36):
Kurt, you want to start this one off?
SPEAKER_03 (25:39):
Sure.
Well, look, I think the mostimportant thing to be thinking
about right away is what youthink is impacted.
Now, lots of these incidentshave sort of a, you know, I'm
sure there's a military analogy,but like sort of a false front
and then you move, you know, butbecause, and this goes back to
(26:00):
what Paul started off with inthe discussion, I mean, because
there are so many operationalissues connected with that,
you're really trying to triagethat operational support.
You want to figure out wherethey are.
You want to get You want to getyour IT people or a forensic
firm, if you're working withthem, you want to get them
involved quickly to make surethat you can try to limit the
(26:22):
access that they have.
I mean, there certainly havebeen a number of recent
situations where quick actionhas not eliminated the threat,
but it has prevented the spreadof the threat.
And I guess that one thing thatjust also flags, you mentioned
law enforcement a few minutesago, having relationships.
I also want to make sure thatyour company has a relationship
with a forensic firm upfront whocan be, you know, usually we try
(26:45):
to have, you know, a privilegedengagement letter that we can
sort of leverage quickly.
So, you know, waste 24 hours or48 hours figuring out who that
is and getting a document signedand things like that.
You want to think about it.
This is part of your incidentresponse.
You want to make sure thatyou've thought about the vendors
that you need to have in place,including a law firm for that
matter.
You want to have those in placeright up front so that just
(27:07):
getting somebody up to speed andonboarded is not a delay factor.
Because really moving quickly ina very thoughtful way, I think,
is the most important stepthere.
SPEAKER_02 (27:18):
Yeah.
And just to add to what Kurtjust said, Dave, When, you know,
in those initial minutes of aransomware event coming in, my
first question for the clientis, what's the data?
What do we know about the dataand what's impacted here?
Because that will reallyinfluence what forensic vendor I
send them to if they need aforensic vendor.
In a lot of cases, that's one ofthe first steps is let's get in
(27:41):
outside forensics because yourIT people have probably been up
for a little while trying tofigure out what's going on.
Let's bring in some externalhelp.
But the external help that'sbrought in, it really depends on
the value and the flavor of thedata that's impacted.
And we might not know this rightnow, but it really matters at
some point to have thatdiscussion.
(28:01):
And hopefully it's earlier inthe event and then later so that
I can bring in the rightforensics firms.
So, for example, if I need afirm that is adept at
negotiating with a threat actoron paying a ransom, you know,
I'm going to go with one vendorover, say, another.
There's specific, you know,priorities and preferences I
have, it really depends on thenature of the attack and what
(28:25):
data is at stake.
So that's really going toinfluence the next step.
But the next step in my headwould certainly be to reach out
to a third-party forensicsvendor, in most cases, to assist
with eradicating the threat andthen rebuilding and determining
what data is at stake.
SPEAKER_01 (28:44):
It's also important to add to that, if you don't
already have an establishedincident response plan, to reach
out to someone who can assistyou in that response, not only
from the first responderperspective, determining what
happened, are you still underattack, but then help with the
(29:06):
potential things like ransomwarenegotiation, like helping with
the understanding, do you pay ornot pay?
Do you even have the ability topay?
Are there Bitcoin avenues foryou?
And you would certainly wantsomeone with expertise that has
dealt with ransomwarenegotiation to be able to assist
(29:28):
you in that particular process.
I think one of the biggestthings that occurs in helping
and prepping clients with theirincident response is working
with leaders in an organizationthat are ultimately going to
have to make decisions with nota lot of information.
(29:49):
Most leaders like to haveinformation at their fingertips
in order to make a sounddecision.
And at times, certainly inransomware, the preparedness
that they need to at leastestablish that, hey, I may not
have all of the information butare going to have to make a
decision that may be criticalfor us to you know not only
survive but to but to continuewith patient care or or you know
(30:13):
continue with the the leastamount of impact so i think um
That's some of the biggestthings I would ultimately tell
someone.
If it happens to you, pleasereach out.
Please reach out to folks likePaul and Kurt and understand and
get help throughout the process.
I think it's extremelyimportant.
SPEAKER_03 (30:32):
Well, and your point about leadership may be similar
to what Paul said earlier aboutthe perfection of the incident
response plan.
It doesn't need to be perfect.
Move it along.
Here, you're never going to haveall the information exactly as
you said.
And so I think...
building that comfort level upfront.
So have a company be cognizantof their general approach, be
(30:55):
cognizant of how this wouldactually work in practice.
I mean, some companies are goingto have an absolute idea that
they would never pay a ransom.
Then it hits and you've got allthese challenges.
So I do think that it's likemany of the relationships in
this area.
It is always going to be betterif you have built it upfront,
(31:18):
not in a crisis situation.
I mean, you can cement it, youcan work, you know, but the
crisis management is much betterwhen you're working with people
that you're used to working withand you're comfortable working
with.
And that goes, you know, thatgoes for the internal legal,
that goes for the IT securitypeople, that goes for senior
management.
That's true across the board onthat.
(31:38):
Now that's not, you know, that'snot always gonna happen.
And we certainly, I mean, Pauland I are both involved in
situations where the first timeyou hear from a client is
they're in the middle of aransomware attack.
I mean, I'm always a littlesurprised by that.
But you have sort of a desiredway to do this, which would
involve before anything happensand thinking about their plans
(32:02):
and evaluating their securityand working on all of that
stuff.
And then you can get brought inin other situations that's less
desirable, but where there's anongoing active incident.
We also get situations wherewe're brought in after the
incident to handle theregulatory investigations or
notice questions and things likethat.
So you've got that sort oftimeline.
It's in the company's interestas much as you can to start at
(32:26):
the earliest part of thattimeline that you can.
SPEAKER_01 (32:30):
Well, gentlemen, it has been an absolute pleasure
today.
Kurt and Paul, thanks for theexcellent insights that you
shared.
And to our audience, thanks forlistening.
We hope you found this episodehelpful.
Have a great rest of your day.
SPEAKER_03 (32:44):
Thank you for having us.
Thank you, Dave.
SPEAKER_00 (32:51):
Thank you for listening.
If you enjoyed this episode, besure to subscribe to AHLA's
Speaking of Health Law whereveryou get your podcasts.
To learn more about AHLA and theeducational resources available
to the health law community,visit americanhealthlaw.org.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!