Locke Lord QuickStudy: Mitigating Ransomware Liability

The recent malware attack on Hollywood Presbyterian Medical Center is an example of the latest trend in security concerns, called “ransomware.” Hollywood Presbyterian’s networks were infiltrated by malware that encrypted key parts of the hospital’s system, rendering its network unusable. In order to regain access to their data, the hospital paid a ransom of 40 Bitcoins, which is the equivalent of about $17,000 and the President & CEO of Hollywood Presbyterian posted a letter on Twitter stating that paying the ransom was the quickest way to restore their systems. More importantly, the hospital could face PR and regulatory challenges for having lax security. And regulators and patients will be concerned about whether or not patients received proper care during the period when their records were locked.   

Your IT department should ensure that it is using up-to-date malware detection software and it should regularly apply the latest patches. Other safeguards, such as controls limiting the ability of users to run executable attachments from workstations, should be considered as well. Your legal team should insist on strong anti-virus clauses in all of your contracts with suppliers and others who interact with your electronic systems. And your privacy and security team should ensure that your organizations develops, implements, monitors, and regularly updates a comprehensive information security program. As part of that, your incident response plan should document steps to take if you are faced with a ransomware attack, including contingency plans and data recovery from protected backups.