DLA Piper Falls Victim to Latest Cyberattack

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.

 

Recent Massive Ransomware Attack Underscores Importance of Keeping Operating System Software Updated and Vigilance Against Suspicious Emails

On May 12, 2017, countless individuals and businesses worldwide were the targets of what experts deem the largest ransomware attack in history. In this attack, hackers sent emails containing encrypted .zip file attachments, which, when downloaded by the email recipient, infected the recipient’s computer with ransomware that commandeered and locked the computer’s files. The files were rendered inaccessible and released only upon payment of a bitcoin ransom to the hacker. According to reports, over 74 countries were hit by the attack, and hospitals and government agencies were among the victims. The damage, monetary or otherwise, resulting from the attack remains to be determined.

“Wannacry,” the name of the ransomware variant used in this attack, is reportedly derived from a stolen NSA hacking tool. The ransomware exploited Windows-based operating system vulnerabilities in computers that were not patched with the latest software update from Microsoft.

Although individuals and businesses in the United States remained largely unaffected, many experts say that this recent attack merely foreshadows future attacks of this scale that may potentially reach users stateside. As hackers become more sophisticated, attacks of this type may become the new normal. Given this new reality in the world of computing, it is increasingly important that computer users, particularly organizational users with databases and systems that house confidential and sensitive information, such as personally identifiable information (“PII”) or protected health information (“PHI”), ensure that computer systems are regularly updated with operating system software and security patches. Equally important is implementing organizational policies and procedures that require and encourage users to be vigilant against indiscriminate accessing and opening of suspicious emails with infected attachments and links.

Ransomware: Preparing for the Storm That’s A Brewin’

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is the hackers are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

8-3The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Ransomware gets into your system, denies you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key. For this reason, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to surviving a ransomware attack. HIPAA compliance helps protect entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of protected health information (“PHI”) in violation of the privacy rule, there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?