Ransomware — A clear and present danger

TMLT remains committed to sharing information with our policyholders on how to protect their sensitive data. Below are three case studies that describe actual cyber claims reported to TMLT. The ultimate goal in publishing these studies is to help physicians respond appropriately to ransomware attacks.

Ransomware case study 1
A practice manager for a small specialty group opened an email attachment and immediately noticed that she could no longer open any files on her computer. She received a pop-up alert with a ransom demand. She contacted IT staff who advised her on initial steps to take.

During IT’s investigation, they found that several months had passed between the last system back up and the ransomware attack. A significant amount of patient data would have not been retrievable from backup, so the group reluctantly decided to pay the small ransom.

Three weeks later, the same employee received another ransomware notice. Again it was decided to pay the ransom, which had doubled in amount since the first attack.

Prompted by the second ransom attack, the group has changed its back-up process to ensure current back ups would always be available. They also employed additional layers of cyber security and trained staff on how to avoid phishing emails.

Because this incident happened before HHS requirements for reporting ransomware attacks, it was not reported as a breach to the practice’s cyber insurance carrier.

While traditional IT security includes firewalls and antivirus software, these tools no longer provide enough protection. Cyber criminals can bypass IT security, enabling them to pose as authorized users and unlimited access to networks. Finding the right solution to these vulnerabilities includes becoming smarter about data protection and privacy issues and educating your workforce not to click on suspicious links.

Ransomware case study 2

A medium-sized medical practice was unable to access their legacy practice management system. When IT was called, they reported a ransom demand on the server. IT staff took down the entire network to prevent the spread of the ransomware beyond the known server. A new server was restored from backup. Within two days, the practice was functioning normally.

This case demonstrates two important factors:
1. The importance of having a current and complete backup of all your data and a data recovery plan in place;
2. The importance of notifying your cyber liability carrier immediately to help you conduct the required risk assessment.

The infected server was examined to determine if protected health information (PHI) had been accessed and exfiltrated. The risk assessment to determine whether there is a low probability of compromise of the PHI must be thorough, completed in good faith, and reach conclusions that are reasonable given the circumstances. The HHS fact sheet “Ransomware and HIPAA” can help determine if a security incident or ransom attack constitutes a HIPAA breach.

Conducting frequent backups and ensuring the ability to recover data is crucial to recovering from a ransomware attack and ensuring the integrity of PHI. Test restorations should be conducted regularly.

Ransomware case study 3
A physician’s staff returned from lunch to find their network encrypted. Forensic IT specialists were unable to determine if ePHI had been accessed or exfiltrated. The assessment concluded that this incident was a breach, and 30,000 patients were notified. The costs of the forensic investigation, the breach notification process, and legal fees have exhausted the practice’s cyber policy limits. The physician is now responsible for the remaining legal costs related to the OCR investigation.

Before this incident, the physician believed that his practice was too small to be hacked, insisting “who would want my data?”

The practice has now invested heavily in new IT, cyber risk management, and cyber security services. An OCR investigation is underway, which will lead to additional work for practice staff.

Physicians and employees are the greatest vulnerability when it comes to ransom attacks; simply clicking on a link, opening an attachment or using weak or infrequently changed passwords can be the beginning of a long and costly process for practices.

What every physician needs to know: Wernicke’s encephalopathy after bariatric surgery

The TMLT claims and risk management departments have seen an alarming increase in the number of claims filed related to Wernicke’s encephalopathy (WE) following bariatric surgery. Specialties included in these claims are general surgery, emergency medicine, internal medicine, and gastroenterology.

Cyber monitoring partner eSentire offers security tips

eSentire — a company that partners with TMLT to offer 24-hour IT security monitoring — has published best practices related to this week’s WannaCry attack and ransomware attacks in general.

  • The eSentire threat intelligence team has issued a security advisory, which offers practical advice on how to protect yourself from this latest attack.
  • For ongoing protection and ransomware risk mitigation, eSentire has created a comprehensive eBook with recommendations that you can easily apply to your practice.
  • The eSentire advisory services team has prepared a ransomware incident response plan to assist you in preparing for a ransomware attack.

Contact our TMLT Product Development and Consulting Services team to learn more about eSentire and their services for physicians.

Risk alert: Ransomware attacks may continue

by Cathy Bryant

On Friday, May 12, health care organizations in several countries fell victim to the WannaCry ransomware infection. It is believed that these ransomware attacks will continue to spread today, as users log in to their computers to start the workweek.

TMLT policyholders are urged to do the following to prevent an attack.

  • Be extra vigilant about cyber security.
  • Emails may be the source of the ransomware. Look carefully at the sender’s email address. Spoofed emails look like they are sent from legitimate senders.
  • Do not click on links you are unsure of.
  • Do not open attachments you are not expecting or that you do not recognize.
  • Do not enable macros from email attachments.
  • Print the U.S. Department of Homeland Security Alert on the WannaCry ransomware  and share with your staff.
  • Conduct frequent education and reminders to staff on ransomware.
  • Make real-time backups and store offline.
  • Keep operating systems and all software applications updated.
  • Maintain antivirus, and anti-malware software.
  • Verify that your data recovery plan is current.
  • Consider testing your restore from backup to assure your back-up data will be available and complete.

If you are attacked

  • Disconnect the affected device from the network.
  • If the device is connected with a network cable, disconnect it immediately.
  • If the device is connected wirelessly; hold the power button down until the light goes off.
  • Notify your IT staff/consultant immediately.
  • Notify TMLT’s Claims Department to report the security incident under your cyber insurance.
  • Notify local law enforcement and the regional office of the FBI.
  • Report any ransomware incidents to the Internet Crime Complaint Center (IC3).

Stay vigilant

Security awareness and training is an ongoing process required by the HIPAA Security Rule. TMLT will publish a series of cyber security helpful tips on our website. Check the site regularly or follow us on social media for updates.

For more information on how TMLT can help you or to schedule a cyber risk assessment, contact us through  at consultingwebmail@tmlt.org.

Preserving evidence is vital in a ransomware attack

By Adrian P. Senyszyn, JD

A ransomware attack is pretty much what it sounds like — data held ransom. In these attacks, cyber criminals use software (ransomware) programmed to take control of and encrypt the data in a victim’s computer. (1) The criminals then threaten to destroy the data unless the victim pays a ransom.  And health care professionals are now the preferred targets of these attacks.

TMLT policyholders reported 112 cyber-related incidents in 2016. One-third of these incidents involved ransomware. If you are targeted in a ransomware attack, it is vitally important to immediately report the incident to your cyber liability insurer or nearby FBI field office.

In 2016, the Office of Civil Rights (OCR), issued guidance stating “[o]nce a ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures” and “document security incidents and their outcomes.” (2) The OCR considers ransomware attacks to be security incidents, which require covered entities to demonstrate “…that there is a low probability that the PHI has been compromised.” (2)

However, after a ransomware attack, it can be difficult to satisfy that requirement and properly demonstrate the low probability that your electronic protected health information (ePHI) was compromised. There are no published cases or guidelines from the OCR describing what evidence is necessary, and the OCR may determine that your risk assessment does not provide a “reasonable conclusion.” (2)

Determining whether a ransomware-related breach occurred becomes more difficult when a provider fails to accurately investigate and document the incident. Often the best evidence that could have been documented is wiped clean from the server or infected computer while repairing the ransomware damage. Preserving evidence to help you prove a low probability of compromise to ePHI should be a main goal for you or your IT staff after a ransomware attack.

Providers can take steps following an attack to help preserve evidence, which may help them meet their burden of proof and conclude that there was a low probability of compromise to ePHI. You can help protect evidence by following these best practices.

Immediately disconnect. Ask your IT company or staff to disconnect your network from the Internet immediately. Large amounts of data take time to download. The more quickly your system is disconnected from the Internet, the less likely it is that information was compromised.

Immediately shut down. Turn off your computers and servers, and remove the devices from the network to limit the spread of the virus. Talk with your IT staff or vendor about how to do this safely.

Investigate and document immediately. Once IT staff is on site, let them check your computers and servers. Make sure IT staff accurately documents their findings in an incident report that should be signed and dated. Screenshots or photographs taken by cell phones can help document evidence.

Determine the scope of the incident by identifying and documenting which networks, systems, or applications were affected; the name of the virus or malware; and the origin of the incident or vulnerability that caused it. Staff should document information related to the attack in separate incident reports that are signed and dated.

Do not wipe and rebuild your network. Erasing your servers and computers and restoring your information with clean back-up data can seem appealing. But don’t do it before thoroughly investigating and documenting the incident. By wiping the malware from your system, you are likely destroying the evidence that proves the ransomware did not exfiltrate data to cyber criminals. You also should consider whether a forensic investigation of your computers and servers would be appropriate.

Immediately contact your medical professional liability carrier. Call your carrier to find out if you have cyber liability insurance. This insurance normally covers the costs of ransomware removal, forensic investigation, breach notification, OCR investigation, and fines and penalties. If you do not have cyber liability insurance, ask for references of reputable attorneys who handle such cases. Purchase cyber insurance for the future, if you don’t already have it.

Immediately retain a lawyer who has handled HIPAA incidents. If you have cyber liability insurance, an attorney will be assigned within hours or days of your report. If you do not have cyber liability insurance, ask your insurance company for the names of reputable attorneys experienced with HIPAA and cyber liability insurance. Retain one immediately so they can coordinate with your IT staff or vendor.

Immediately hire an IT company specializing in ransomware remediation. If you have cyber liability insurance, an IT company specializing in ransomware removal will be assigned to remove the virus from your system. Once the IT company removes the virus, a forensic investigation can be performed, if appropriate. Computer forensic companies are very specialized, and not all IT companies have the skill or experience to perform a forensic analysis.

Consult your practice’s security policies and procedures. Your medical practice should have HIPAA Privacy and Security policies and procedures in place. If you do not have these policies and procedures, please contact your insurance carrier or a reputable attorney who can help you begin using a set of policies and procedures tailored to your office. Review your policies for guidance and forms related to incident reporting and assessing risks. Provide your policies and procedures to your attorney.

Have a security risk assessment done to your network within two weeks. It is very important to identify and correct all vulnerabilities that may have caused the incident. Once the ransomware is removed, have an independent company perform a risk assessment of your network. Your medical liability carrier should know reputable IT vendors who can help you. If you have not had an independent security risk assessment performed in the past year, I highly recommend having one performed based on the recent evolution of cyber threats.

Identify and correct vulnerabilities within 30 days. As part of your efforts to mitigate the harm from the attack, and to show diligence in correcting the vulnerability and protecting patient information, make all corrections identified by the security risk assessment within 30 days of the incident. Document all corrections and any sanctions issued.

Paying the ransom demand? Avoid paying the ransom if possible. Although experts do not condone paying a ransom demand, they have acknowledged — depending upon the circumstances — that some practices are left with a tough business decision. If you cannot restore your critical operational data from a recent data backup or decrypt your corrupted files using a third-party decryption tool, you may want to negotiate and pay the ransom (usually a Bitcoin payment) as a last resort. There is no guarantee the hacker will give you the decryption key, but in many cases they do. There also is no guarantee that all of your data will be restored from the damaging effects of the virus.

For more information on cyber liability coverage and cyber risk management resources, please contact John Southrey at TMLT at john-southrey@tmlt.org.

To report a cyber claim, please contact TMLT at 800-580-8658.


1. Typical ransomware software uses RSA 2048 encryption to encrypt files. To illustrate how strong this encryption is, it would take the average desktop computer around 6.4 quadrillion years to crack an RSA 2048 key. From Ransomware: Hostage Rescue Manual. Available at KnowBe4 2016.

2. Department of Health and Human Services Office of Civil Rights. Fact sheet: Ransomware and HIPAA. 2016. Available at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Accessed May 2, 2017.
Adrian P. Senyszyn, JD, is a partner at Brin & Brin, P.C. in San Antonio, Texas. He can be reached at asenyszyn@brinandbrin.com.