On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017).  Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them.   During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.”

Ransomware is malware that installs covertly on a computer, tablet, or other mobile device and encrypts the victim’s data, preventing access unless and until the victim pays the ransom, typically in the form of bitcoins.  Healthcare providers are appealing ransomware targets because they are dependent on immediate access to real time data in order to care for their patients.  For those same reasons, healthcare providers often elect to pay the ransom to unlock their records, making them a lucrative target for hackers.  Director Comey’s advice to health care providers was twofold:

Never Pay Ransom:  The advice to never pay ransom was echoed by a number of intelligence and security experts during BCCS 2017.  According to Director Comey, the payment of ransomware by one healthcare provider emboldens attackers and proliferates the attacks, placing other healthcare providers at risk.

Maintain Adequate Backup Systems:  Comprehensive business continuity plans and data backup are the only surefire way to continue critical operations following a ransomware attack and avoid paying ransom.

Director Comey also encouraged healthcare providers to work closely with the FBI by reporting all manner of cyberattacks, noting that industry and law enforcement collaboration is key to combatting cybercrime.

Cynthia Larose, Chair of the Mintz Levin Privacy and Security Practice Group, and one of three Mintz Levin attorney speakers at BCCS 2017, emphasized the importance of data backup, but also the importance of testing business continuity and data back up plans before a disaster.  “An ounce of prevention can prevent a million headaches,”  she said.

We’ve previously described the impact of ransomware in the healthcare industry in a number of blog posts.