A ransomware attack is a major threat affecting all sectors of business, including healthcare. Organizations typically follow state and federal privacy laws as part of their ransomware prevention and response measures. Beyond these privacy laws, every organization should also be aware of U.S. sanctions law in its response to a ransomware attack.
As a reminder, on October 1, 2020, the U.S. Department of Treasury Office of Foreign Asset Control (OFAC) issued an advisory warning regarding the risk associated with making a ransomware payment. Federal laws prohibit U.S. persons or entities from paying individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons list (SDN List) or those covered by comprehensive country or regional embargoes such as Cuba, Iran, North Korea or Syria. For example, a U.S. person or organization making a ransomware payment could be found to have violated OFAC sanction laws if the recipient of the ransomware payment is located in North Korea. Additionally, OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program.
What is at Stake
OFAC may hold a person “civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Such civil violations are strict liability offenses, and willful criminal violations are subject to significant monetary penalties and potential incarceration.
How to Prepare
An organization should incorporate elements of the compliance framework issued by OFAC into its compliance program to reduce the risk of sanctions. These compliance elements are: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
- Management Commitment: Senior management should support their organization’s OFAC sanction compliance program by recognizing the seriousness of apparent violations of OFAC laws and regulations and retaining personnel with technical knowledge of OFAC regulations.
- Risk Assessment: An organization should conduct a routine ongoing OFAC risk assessment that adequately accounts for the potential risks and develop a methodology to identify, analyze and address the particular risks it identifies.
- Internal Controls: Effective internal controls involve an organization communicating its OFAC compliance policies and procedures to all relevant staff, including relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.).
- Testing and Auditing: An organization should employ testing or audit procedures appropriate to the level and sophistication of its sanction compliance program. This function, whether deployed internally or by an external party, should reflect a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls.
- Training: An effective training program should provide OFAC-related training with a scope that is appropriate for a company’s products and services, the customers, clients and partner relationships it maintains and the geographic regions in which it operates.
Ransomware Best Practices
In addition to establishing a sanction compliance program, an organization should also implement certain best practices:
- Data Backup: Maintain offline, encrypted backups of data and regularly test the backups;
- Recovery Plan: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location;
- Cyber Incident Response Plan: Create, maintain and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident; and
- Network Segmentation: Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.
Whether an organization should give in to the ransomware attacker’s demands and pay to regain access to their data or systems is a challenging question. As noted by Michael Rogers, the former Director of the National Security Agency, “there’s no singular yes or no.”
Given the potential risks of a ransomware attack, as well as the resources now available regarding ransomware attacks, an organization should proactively put into place appropriate backups, plans and processes to address ransomware attacks, including running a cyber attack simulation.
Furthermore, an organization that is the target of ransomware attacks should consider immediately notifying the OFAC Sanctions Compliance and Evaluation Division (email@example.com) in the event of a cyber attack where a ransomware payment may involve a sanctions nexus to minimize the sanction risk.
Our Health Law Ticker is a one-stop resource for everything new and noteworthy in healthcare law. We cover recent developments in healthcare legislation, healthcare reform, Medicare/Medicaid, managed care, litigation, regulatory compliance, HIPAA, privacy, peer review, medical staffs and general business operations for healthcare companies and licensed healthcare professionals.