Is WannaCry Attack a “Data Breach”? under HIPAA or GDPR?

The WannaCry ransomware seems to have targetted the health sector more, probably for the reason that most of the systems used in the industry were using unpatched or old windows systems and also their employees were not as well informed as those in IT industry as to the social engineering and phishing mail threats.

Just as ATMs in the Banking sector run on old Windows XP systems, it is possible that an industry like Health Care that depends on many equipments with computerised support systems may be working in the background on windows XP.

We already have evidence that some ATMs in India have been hit by WannaCry but the damage has not been felt because the closure of ATMs was some thing people got used to in the last few months and a few more did not matter. ATMs did not contain sensitive data in itself and hence could be easily reset.

However, when an ATM was found to have been affected, there is a suspicion that the back end system also must have been affected. Firstly the infection cannot originate in the ATM except in the case when an ATM maintenance is undertaken with a USB. Mostly ATMs are updated remotely and hence are the nodes for a back end server. If therefore the local memory of the ATM has been affected, there is every reason to believe that the back end server has already been compromised. The Back end server ultimately connects to the Core Banking server.

One reason that many of the Indian organizations seems to have escaped the vortex of the attack is that most of the servers could be running on Linux and not on Windows. This could have been the reason that even when parts of the network were affected, some parts have remained safe.

In the health Care segment, the hospitals are using a large number of diagnostic equipments some of which are used as critical equipments for support of surgeries and any infection of these machines would cause a “Denial Of Access” situation in the hospital.

One of the doubts that health care segment is confronted with in the case of a ransomware attack is whether the attack needs to be reported as a “Data Breach” to the HHS ?. In the case of a Business Associate, the doubt is whether the attack has to be reported to the upstream data supplier?

In the case of a “Ransomware attack”, it is presumed that the nature of compromise is that “Data remains where it is but gets encrypted”. Hence data does not go out of the system and it is not a conventional data theft case.

However, data may become “Unusable” even by the “Authorized users” and in case there is a request of data from the data subject, the request cannot be met. Hence there is a disruption of activities and breach of contractual obligations without data loss.

Hopefully, data may be recovered after some time and processes may continue. However equipments need to be re-calibrated and tested before it is back to normal use.

HHS may not impose heavy penalties but reporting is a necessity.

Hence users of these compromised and rectified equipments need to first create an evidence (In India the evidence should be certified under Section 65B of Indian Evidence Act as explained in www.ceac.in) that they have been adversely affected in this Global storm and hence their systems have been disrupted. They need to simultaneously notify their principals about the disruption because “Denial of Service” is also a “Data Security Breach”.

The attack is a confirmation that the organization is perhaps using systems that are running on unpatched or unpatchable systems which will remain vulnerable unless further action is taken. Hence a post incident audit report has to be obtained where the cause of the breach is determined and necessary preventive measures are taken. In certain cases where the equipments are controlled by embedded systems which are not meddled with by the hospital administration, the equipment manufacturers need to be notified and rectification demanded on an emergent basis. Some of these equipments may be “imported” and quick servicing may not be easy.

I pity the IT administrators of such systems because there may be no easy solution to their problem. While the CISO s may say, keep the equipments quarantined until they are disinfected and vaccinated, the business requirements may force reinduction of the equipments before a thorough check is done and systems upgraded.

If so, they need to be alert of the possibility of a second wave of attack from a mutated virus may hit them again. To avoid any adverse impact on the patients, the hospitals which are dependent on such compromised IT systems need to reduce their dependence on IT and double check their results produced by IT systems manually.

For those who have taken the Cyber Insurance policies, it is time to check the clauses. In this incident, there is no data loss but there could be expenses involved in recovery of systems and data. The ransom payment if any is an illegal expense and I am not sure if Cyber Insurance companies should cover this. But I am told that some Cyber Insurance companies may cover this expenditure also, and if so, it is fine. We know that when multiple systems are affected, the decryption key has to be bought for each such machine and hence the actual ransom may not be $ 300 for an organization but several times more and go beyond the “Minimum Loss Clause” in the insurance contract.

If however an Insurance company takes a stand that the attack was facilitated by the negligence of the user in not patching its systems or by an employee negligence in clicking on a phishing mail attachment etc., they will have some justification to reject the claims. This needs to be settled on the basis of relationship between the Insurer and the Insured on whether the negligence amounted to being “Grossly Negligent” or ” Below Average Negligent”. This may depend on the policies and procedures adopted and documented and the manpower training undertaken in the past. If the organization has not previously undertaken effective measures to meet such contingencies, it would amount to “Negligence of the Organization” and not “Negligence of an Employee” and hence the Cyber Insurance cover may be rejected.

It is time for every organization to review their past actions on Cyber Security to that in future when such attacks recur they are better equipped.

In the meantime, we may keep our fingers crossed and wait for the after effects of the WannaCry storm to passover..

Naavi

Also refer

WannaCry: After worldwide ransomware hack, governments and cyber experts brace for more attacks

Insurance companies may face the brunt of botched tech after WannaCry

Cyber insurance market expected to grow after WannaCry attack

After WannaCry, ex-NSA director defends agencies holding exploits

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.