Coronavirus and Ransomware—What Do They Have in Common? HIPAA & HITECH Act Blog by Jonathan P. Tomes  

Jon Tomes

Well, the short answer is that both coronavirus and ransomware are harmful. And both of them are infections. So-called Project Spy, for example, infects Android and iOS devices with spyware. See Tony Bao and Junzhi Lu , Trend Micro, “Coronavirus Update App Leads to Project Spy Android and iOS Spyware,” April 14, 2020, at

But the better answer for health care entities as to what coronavirus and ransomware have in common is that the virus is a golden opportunity for cybercriminals to extort money from the health care business. Several of my previous blogs have discussed the threat of ransomware in “normal” times. Health care entities are a prime target for ransomware because they have so much data that they must have immediate access to in order to, simply stated, save lives. But the coronavirus threat gives cybercriminals many more options to extort money from providers like the fake update on the status of the virus mentioned above.

 Trend Micro statistics for the first quarter of 2020 are as follows:

  • 907 thousand total spam messages related to COVID-19.
  • 737 detected malware infections related to COVID-19.
  • 48 thousand hits on malicious URLs related to COVID-19.
  • 260 times increase in malicious URL hits from February to March 2020. .

 An article in The Hill noted that hospitals brace for an increase in cyberattacks as a result of the coronavirus threat. It quoted Senator Mark Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, speaking about his major policy focus of the current health emergency—the cybersecurity posture of health care where major hospital systems were ill-equipped to handle ransomware incidents and data breaches: “COVIC-19 has only made that situation worse, with increased attacks and hospital resources stretched perilously thin.”

INTERPOL’s Cybercrime Threat Response team noted a “significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.”  Maggie Miller and Olivia Beavers, “Hospitals brace for increase in cyberattacks, The Hill, April 9, 2020, at

Although the Hill article focused on hospitals, one certainly cannot rule out attacks on other providers and health plans, like physician practices, long-term care facilities, and business associates. A major host of electronic health records or a major health plan would also seem to be an attractive target for ransomware.

According to “Small-Sized and Medium-Sized Healthcare Providers Most likely to Be Attacked with Ransomware,” an online article on, “Ransomware gangs are concentrating their attacks on smaller healthcare providers and clinics, according to a new report from RiskIQ. Between 2016 and 2019, 70% of healthcare ransomware attacks were on organizations with fewer than 500 employees.” The article is available at

It is certainly sad that the industry has to worry about having their critical health information locked down in this crisis, but, as they say, an ounce of prevention is worth a pound of cure. In addition to my blog posts on ransomware, a plethora of articles are on the internet on how to prevent or respond to ransomware attacks.

In an attempt to do EMR Legal’s and Veterans Press’s part to help the health care industry during this crisis, I am attaching my sample ransomware policy below, as I attached my sample work-at-home and telemedicine policies in a couple of my earlier blog posts. If you prefer to work with an editable Word© version, email Alice at to request that version. Again, the policy must be tailored to your situation based on your risk analysis, but after you do so, I will review it at no cost if you email it to me at


Ransomware Prevention and Response Policy and Procedure


[Name of organization] has adopted this Ransomware Prevention and Response Policy and Procedure to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (hereinafter “HIPAA”); the Department of Health and Human Services (“DHHS”) security and privacy regulations; and the Joint Commission on Accreditation of Healthcare Organizations accreditation standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. In addition, this Ransomware Prevention and Response Policy and Procedure will assist [name of organization] in fulfilling its obligation under the DHHS security and privacy regulations to mitigate damages caused by breach of individual privacy. All personnel of [name of organization] must comply with this policy and procedure. Familiarity with the policy and procedure and demonstrated competence in the requirements of the policy and procedure are an important part of every [name of organization] workforce member’s responsibilities.


This Ransomware Prevention and Response Policy and Procedure is based on the following assumptions:

  • Breaches of security, confidentiality, or [name of organization]’s policies and procedures may occur despite security and confidentiality protections.
  • Prevention of security incidents and breaches is essential to protect individually identifiable health information.
  • If, notwithstanding security measures, incidents and breaches occur, early detection and response to such breaches are critical to stop any such breach, correct the problem, and mitigate any harm.
  • Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. It most commonly either encrypts files or locks down the system.
  • Most ransomware attacks involve infected email that, once the data user has opened the email, the malware encrypts the user’s system and/or data.
  • Health care organizations are prime targets for malware. In 2018, health care entities accounted for 34 percent of all malware attacks.
  • Ransomware could result in severe harm to patients, operations, our finances, and intangible costs such as loss of reputation, loss of consumer confidence, and regulatory sanctions.
  • Ransomware payments often go towards promoting highly illegal and unethical conduct, such as people smuggling, sex trafficking, drug dealing, gun running, and organized crime.
  • Malware attacks typically rely on a vulnerability in an operating systems, application, browser, or plugin.
  • Modern ransomware typically seeks and encrypts backup files, as well as data files. If backup files are stored on the same system, that storage can result in their loss as well. Multiple backup versions, stored offsite, will speed recovery and avoid the ransom payment.
  • With proper preparation, the impact of a ransomware attack can be mitigated. Backing up data and key infrastructure is the first step to ensuring that data users can continue operating and recover from a ransomware attack.
  • Backing up data on the system likely will be ineffective because ransomware often seeks out all data on the system.
  • Cloud-based backups, while essential, can make restoration a slow and painful process. Hybrid backups, combining a local cache with a cloud-based backup, make restoration faster and less painful. Recovering large files from the internet may take a long time. Restoring 150 GB of lost data, such as in voluminous paper records, would, for example, take a whole working day,
  • Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
  • All workforce members must know how to respond to ransomware attacks.


This policy is intended to implement reasonable and appropriate security measures to prevent ransomware attacks and, if prevention fails, to appropriately respond to them to regain control of our system and access its data expeditiously.


The [security officer][office manager][other] is responsible for implementing this policy.

 All workforce members and others with access to health information must comply with this policy protecting the security and confidentiality of health information from ransomware attacks as specified below.

Prevention of Malware Infection Policy

The [security officer][office manager][other] will employ a data backup and recovery plan for all critical information in accordance with the [name of organization] Backup and Disaster Plan. The [security officer][office manager][other] will perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Because network-connected backups can also be affected by ransomware, critical backups must be isolated from the network for optimum protection.

Malware protection must include hybrid backup with both local and cloud-based backup.

The [security officer][office manager][other] will keep our operating system and software up-to-date with the latest patches. Most malware exploits a vulnerability that has become known and for which security organizations have developed a patch. Ensuring vulnerable applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

The [security officer][office manager][other] will maintain up-to-date antivirus software and will scan all software downloaded from the internet prior to executing.

The [security officer][office manager][other] will map the system[s] and remove unnecessary connectivity. It’s less harmful if an isolated portion of our computing environment is encrypted and not the whole system.

The [security officer][office manager][other] will restrict users’ ability (permissions) to install and run unwanted software applications and will apply the principle of “Least Privilege” to all systems and services in accordance with [name of organization]’s access policies.

The [security officer][office manager][other] will implement reasonable and appropriate security measures to ensure that workforce members avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.

The [security officer][office manager][other] will implement reasonable and appropriate security measures to ensure that workforce members do not follow unsolicited web links in emails.

The [security officer][office manager][other] will ensure that workforce members are trained on recognizing and avoiding phishing attacks.

Detection of Ransomware Policy

Often, a message pops up telling you that a ransomware attack has happened. Your web browser or desktop is locked with a message about how to pay to unlock your system, and/or your file directories contain a “ransom note” file that is usually a .txt file. All of your files have a new file extension appended to the file names, such as these, for example: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted,

.locked, .crypto,_crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters.

The [security officer][office manager][other] will ensure that network logs are reviewed for suspicious connections.

Responding to Ransomware Attacks

Data users who suspect that a ransomware attack has infected their computer should immediately disconnect it from the system by unplugging the computer from our system (such as Ethernet cables) from the [name of organization] network and disable any other network adapters, such as wireless network interfaces. Next, data users should ensure that their system is fully disconnected from any [name  of organization] networks and the Internet to prevent the spread of the ransomware to shared network resources, such as file shares. Do not power down or reimage infected systems. Do not delete the ransom note. Data users should contact the [security officer] [other individual or resource] if they need assistance in disconnecting their system.

[OPTIONAL—to be decided by IT security specialist: [The data user will immediately take a photograph of the screen with his or her cell phone to provide to law enforcement or security specialists.]]

Data users will immediately report a suspected ransomware attack in accordance with [name of organization]’s [Report Policy][Report and Response Policy]. Data users should make an immediate verbal or telephonic report and follow it up with a written Security Incident Report/Response Form (Appendix A).

The [security officer][office manager][other] will report the malware attack to law enforcement and relevant insurance carriers.

The [security officer][office manager][other] will determine whether decryption tools, such as No More Ransom! (, can be used to decrypt the files.

Workforce members will not discuss the ability or the willingness to pay the ransom by email.

The default (preferred) policy is not to pay the ransom because the hacker may not decrypt the files until a second ransom is paid or not at all or decrypt only part of the files. The decision must, however, be made on a case-by-case basis considering the ability to decrypt the files and restore the system, patient health and safety, and the amount of the ransom,


All workforce members, including officers, agents, and employees, of [name of organization] must adhere to this policy, and all supervisors are responsible for enforcing this policy. [Name of organization] will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with [name of organization]’s medical information sanction policy and personnel rules and regulations.


_________________________________                  ______________________________

Signature of Workforce Member                                               Date


_________________________________                  ______________________________

Title of Workforce Member                                                        Printed Name of Workforce Member


_________________________________                  ______________________________

Witness                                                                                           Printed Name of Witness


Appendix A


  1. Describe the security incident. Please indicate what was observed, where and when it occurred, and who was involved.



  1. Describe how the incident was discovered—that is, result of observation, review of audit trails, external complaint, and so forth.



  1. Indicate the status of the security incident. Is the incident over? Is it currently ongoing? Has it been recurring?



  1. Describe how you think the security incident occurred or how unauthorized access or disclosure happened—that is, hacker, virus, employee misconduct, and so forth.



  1. Is the system still at risk of attack?



  1. Classify the severity of the incident—high, medium, or low—and indicate whether the response time should be immediate, prompt, or as soon as possible.



  1. Describe your assessment of possible systems affected, the clinical, business, and/or administrative functionalities affected, and whether any data, including protected health information (“PHI”), financial information, and/or information that could lead to identity theft, may have been compromised.



  1. Please estimate the following or state that not enough information is available for such an estimate:
  • System downtime:



  • Damage to the system:



  • Nature and extent of data lost:



  • Nature and extent of data improperly disclosed:



  • Harm, such as financial loss, cost of repairs, possible lawsuits, and so forth:



  1. Were the systems of other organizations affected? If so, were they contacted?



  1. Indicate the persons that have been notified and the measures taken to address the problem.



  1. Indicate your name, title/position, phone number, and email addresses below in case we need to contact you for further information:


  • Name:


  • Title/position:


  • Work phone number:


  • Work email address:


  • Home phone number:


  • Home email address:


  1. Date and time of this report:




  1. List persons receiving this report, such as Security Officer, Privacy Officer, and others.



  1. List any immediate action taken, such as suspended suspect’s access pending investigation.



  1. Who investigated?



  1. Results of investigation?



  1. Mitigation taken, such as notified the victim, called the party receiving the data in error, and so forth.



  1. Action taken to prevent recurrence, such as tightened up email policy.



  1. Disciplinary action taken, if any.




seo by: k.c. seo