A lawsuit working its way through the courts could have a lot to say about the liabilities facing organizations that have been hit by ransomware attacks – and could have implications for cybersecurity preparation and regulation in general.
The first lawsuit over a death allegedly caused by ransomware has been filed in Alabama regarding the case of an infant born at Springhill Memorial Hospital while the facility was impacted by a ransomware attack, according to a recent report in the Wall Street Journal.
In an interview with eSecurity Planet, Daryl Crockett, CEO of data management company ValidDatum, said the case has the potential to be a game-changer regarding corporate responsibility for the impact of ransomware.
“From a technological standpoint this is a fairly old case, so whatever was in place then probably isn’t relevant to what needs to be in place today – but it does tie together the absolute gravity of the situation that we’re in,” Crockett said.
Hospital’s Operations Hit by Ransomware
The legal complaint [PDF] notes that on July 9, 2019, the day it was hit by a ransomware attack, Springhill Memorial Hospital contended that the event had “not affected patient care.” And when Teiranni Kidd checked into Springhill to give birth one week after the attack, the complaint alleges, she “was not told that the hospital’s computer systems had been hacked, that they were not operating as needed, and that patient safety was implicated and could be comprised.”
When Kidd was induced, fetal tracing could only be recorded on paper, reducing the number of healthcare providers who could monitor her labor and delivery – and as a result, the complaint alleges, Kidd’s daughter Nicko “was profoundly brain-injured, required frequent oxygen supplementation, fed through a gastro-intestinal tube, and needed medication administration around the clock.” Nicko died nine months later, on April 16, 2020.
On a basic level, the case appears to have as much to do with communication and transparency as it does with cybersecurity. Key to the complaint is the alleged failure “to warn and inform Teiranni Kidd and/or her family members and physicians, before and during Teiranni’s admission beginning July 16, 2019, of the severity of the cyberattack.”
Cyber Insurance No Longer Reliable
Perhaps the largest lesson to draw from this case, Crockett said, is to take these threats more seriously and look beyond a simple cost-benefit analysis. Just assuming your cyber insurance will cover any issues that may be caused by a ransomware attack, she said, “is absolutely the worst way to think about all of this for a multitude of reasons, one being that the insurance company is doing everything they can to survive this storm, and as a result are going to be very difficult to deal with for settlement of any claims like this.”
Crockett said unofficial numbers indicate that only about 10 percent of such cyber insurance claims are paid out. “And even if it covered you for the amount that you had to pay for the ransomware, say it’s $2 million, let’s say that it covers you for that – which it probably won’t, but let’s just say that it does – the amount of disruption associated with getting back to normal operations is extremely expensive,” she said.
The Springhill case takes those potential expenses to an entirely new level, particularly if a company views their cyber insurance coverage as a reason not to worry about the effectiveness of their cyber security. “Now we’re looking at what are the other external damages that we could potentially be responsible for, and what harm could we cause because we were attacked by ransomware,” Crockett said.
While this may be the first lawsuit brought for an incident like this, Crockett said, there are countless ways that ransomware could cause bodily harm, such as the failure of traffic lights at an intersection leading to a crash following a ransomware attack on a power grid. “There’s a lot of potential harm that can come from these growingly massive attacks,” she said.
And in a healthcare environment, the data accessed by hackers can also be valuable on its own – exfiltration can be as much of a threat as encryption by ransomware. “That data can be used in who knows how many ways,” Crockett said. “There is potential harm associated with that, and possibly potential legal liability if you can prove that it was taken and used in a certain manner as a result of this particular event.”
More broadly, Crockett said, these kinds of attacks demonstrate a significant shift in the nature and scale of the threat. “It means that we’ve dawned into a new age now where we are really in a war,” she said. “And the war can be multi-pronged. In the case of ransomware, it’s a war for money, for ransom – but it’s also access and control over the data for exfiltration.”
Cyber Regulations Could Bring Fairness
In response, Crockett expects businesses will increasingly demand government action, which could take two possible forms. “The first one is to put pressure on nation-state supported or sponsored attacks, using political channels, pressure, or offensive retaliatory attacks – sounds a lot like war, doesn’t it? – to put pressure on criminal groups, or at least on states who look the other way and allow these types of criminal enterprises within their borders,” she said.
The second option, Crockett said, is to implement regulations requiring companies to meet a basic security standard, simply for the sake of fairness. “Let’s say that one hospital invests heavily in cybersecurity, and another hospital does not,” she said. “It’s a competitive advantage, at least in the short term, for the hospital that has not invested heavily in IT security, and not gone the next mile, as opposed to the first hospital that did. They’re at an economic disadvantage.”
And so the right kind of regulation could bring about improved cybersecurity across the board. “What the intervention of – and I hold my nose when I say this – government regulation, or setting more standards in this area, what it does is it levels the playing field and says, ‘Okay, everybody’s going to have to live up to certain standards,'” Crockett said. “It removes the economic unevenness that I think is happening right now, the hesitation in the market for investment.”
A Holistic Security Approach
Short of government action, Crockett suggested companies should take a more proactive and comprehensive attitude than simply patching security flaws as needed. “A good way to approach this problem is if you’re going through any kind of digital transformation, or even considering it, now is the time to do that, in combination with a revision of your IT data privacy and data security,” she said.
Too often, Crockett said, companies look at security as a discrete project rather than taking a holistic approach and combining cybersecurity enhancements with a broader digital transformation. “As you’re going through and implementing a zero-trust environment, or trying to get there, and you’re looking at how everybody does their job and what types of data they’re accessing, what a wonderful opportunity to make improvements in your business at the same time,” she suggested.
The result can be a significant improvement, company-wide, in data quality, data availability and data security. “People are realizing, ‘If I’m going to do this, I might as well do this the right way and get some business benefit out of it,'” Crockett said.
Prioritize Best Practices
Ultimately, Crockett said, the most important lesson to learn from the Springhill lawsuit is to understand the importance of assessing your security practices in detail. “Most of the time, when these events occur, there are procedures that we would consider best-practice procedures, standard procedures for a ‘well-governed’ organization, that were not followed,” she said.
Whether that means commonly available software wasn’t used, staff was untrained, or procedures were written but not followed, any of those things are going to make it much harder to file a successful insurance claim. “What we see a lot of times is that companies who don’t know better will fill out their renewal survey or assessment and put down things that they’re working on in current initiatives,” Crockett said. “But if an event occurs before they finish the implementation and deployment of that new process or technology, then one would argue that the insurance company made a bet on you based on information you gave that was false. So companies need to take those applications and renewals very seriously.”
And until government action levels the playing field for companies that prioritize cybersecurity, Crockett said, that responsibility – and its associated cost – will fall on each business individually. “Given the current climate that we have, and the threats all around us, it’s an amazing geopolitical economic disadvantage that we are in right now, as nation-states look the other way while their citizens hack at our country, and force us to spend dollars not on improving productivity and making better products faster or cheaper, or delivering better services for lower cost, but on building castle walls and platinum ceilings and floors to keep bad actors out,” she said. “This is a form of economic warfare.”