The Russia-Ukraine conflict is increasing the risk of ransomware attacks and other cyber threats for U.S. companies, and those in the health care industry may be targeted. In a recent analyst note from the Department of Health & Human Services (“HHS”), HHS describes the cyber capabilities of Russia, one of the world’s major cyberpowers, and analyzes two malware variants most likely to impact the U.S. health care and public health sector. These are HermeticWiper and WhisperGate, two malware variants that have been used against Ukraine during the conflict. Although HHS is not currently aware of any specific threat to the U.S. health care and public health sector, organizations in the sector should remain vigilant and proactively take measures to mitigate the risk of a cyber-attack.

In a recent blog post, Lisa Pino, Director for the Office for Civil Rights, outlines several ways health care organizations can prepare for cyberattacks in 2022. As the blog post notes, 2021 saw multiple cyberattacks on hospitals and health care systems, leading to cancellations of procedures such as surgeries and radiology exams due to the impact of such cyberattacks. The blog post calls on covered entities and business associates to improve their cyber posture in 2022, and one area of focus should be the enterprise-wide risk analysis. Risk analyses should be comprehensive in scope and cover all electronic protected health information across the organization. Other best practices noted in the blog post include maintaining offline, encrypted backups of data and regularly testing backups; conducting regular vulnerability scans; regularly patching and updating software and operating systems; and training employees on phishing and other common IT attacks.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She…

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal, and policy advice to all types of health care and technology clients navigating the dynamic regulatory environment related to technology in the health care sector to help them achieve their business goals. Jodi is a contributor to the Uniform Law Commission Telehealth Committee, which drafts and proposes uniform state laws related to telehealth services, including the definition of telehealth, formation of the doctor-patient relationship via telehealth, creation of a registry for out-of-state physicians, insurance coverage and payment parity, and administrative barriers to entity formation.

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.