“I can tell you with complete confidence that ransomware attacks harm patients,” says Hannah Neprash, an associate professor of health policy at the University of Minnesota, who has researched the impact of ransomware attacks on US hospitals and concluded they result in higher mortality rates. “If you are a patient who has the misfortune to be admitted to a hospital when that hospital goes through a ransomware attack, the likelihood that you’re going to walk out the doors goes down,” Neprash says. “The longer the disruption, the worse the health outcomes.”
In the hours and days immediately after ransomware attacks, it’s common for companies who have software connected to the targeted organization to pull their services. This can include everything from disconnecting medical records to refusing to email a cyberattack victim. This is where so-called assurance letters come in.
“We’ve really seen the demand for these letters increase over the past few years as breaches have become much more litigious—from class actions lawyers chasing settlements to lawsuits between businesses,” says Chris Cwalina, the global head of cybersecurity and privacy at law firm Norton Rose Fulbright.
Cwalina says he is unsure where and when the practice of sending assurance letters started but says it is likely it began with lawyers or security professionals who misunderstood legal requirements or the risks they are trying to prevent. “There is no legal requirement to request or obtain an attestation before systems can be reconnected,” Cwalina says.
These assurance and attestation letters are often compiled with the support of specialist cybersecurity companies that are employed to respond to incidents. What can be reconnected and when will vary depending on the specific details of each attack.
But much of the decisionmaking comes down to risk—or at least perceived risk. Charles Carmakal, the chief technology officer of Google-owned cybersecurity firm Mandiant, says companies will be worried that cybercriminals could move “laterally” between the victim and their systems. Companies want to know a system is clean and the attackers have been removed from the systems, Carmakal says.
“I understand the rationale behind the assurance process. What I would say is that people do need to really consider what is the risk associated with the level of connectivity between two parties, and sometimes people tend to default to the most restrictive path,” Carmakal says. For instance, it is rare that Mandiant sees wormable ransomware moving from one victim to another, he says.
“Vendors were interested to know that independent, outside cybersecurity experts were engaged with Scripps technical teams and verification that malware was contained and remediated with reasonable best efforts,” Thielman, the CIO of Scripps Heath, says. For Ascension, Fitzpatrick says, the company also held one-on-one calls with vendors and hosted eight webinars where it provided updates. It has also shared indicators of compromise—the traces left by attackers in its systems—with health organizations and the US Cybersecurity and Infrastructure Security Agency (CISA).
Third-Party Doctrine
Cybercriminals have become more brazen with attacks against hospitals and medical organizations in recent years; in one case, the Lockbit ransomware gang claimed it had rules against attacking hospitals but hit more than 100. Often these sort of attacks directly impact private sector companies that provide services to public infrastructure or medical organizations.
“If you look plausibly at the threat picture in the years ahead, disruption to public services and public activity caused by [cybercrime] activity that affects the private sector is probably something that’s going to happen more and more,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Centre. In these instances, Martin suggests, there may be questions around whether governments have, or need, powers to direct private firms to respond in certain ways.
